From 14107dc511bc1f971d748810965bec2a197d828d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= Date: Thu, 16 Mar 2023 10:40:02 +0100 Subject: [PATCH] build: add pve-kernel-X.Y-pve-signed-template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit the signed template together with the binary package(s) containing the unsigned files form the input to our secure boot signing service. the signed template consists of - files.json (specifying which files are signed how and by which key) - packaging template used to build the signed package(s) the signing service - extracts and checks the signed-template binary package - extracts the unsigned package(s) - signs the needed files - packs up the signatures + the template contained in the signed-template package into the signed source package the signed source package can then be built in the regular fashion (in case of the kernel packages, it will copy the kernel image, modules and some helper files from the unsigned package, attach the signature created by the signing service, and re-pack the result as signed-kernel package). Signed-off-by: Fabian Grünbichler --- debian/control.in | 7 ++++ debian/rules | 29 ++++++++++++++ debian/signing-template/control.in | 25 ++++++++++++ debian/signing-template/files.json.in | 13 ++++++ debian/signing-template/rules.in | 58 +++++++++++++++++++++++++++ debian/signing-template/source/format | 1 + 6 files changed, 133 insertions(+) create mode 100644 debian/signing-template/control.in create mode 100644 debian/signing-template/files.json.in create mode 100644 debian/signing-template/rules.in create mode 100644 debian/signing-template/source/format diff --git a/debian/control.in b/debian/control.in index 3985f6a..6e252c0 100644 --- a/debian/control.in +++ b/debian/control.in @@ -80,6 +80,13 @@ Description: Proxmox Kernel debug image to analyze kernel crashes. This package also contains the pve-kernel modules in their unstripped version. +Package: pve-kernel-@KVNAME@-signed-template +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed kernel package + This package is used to control code signing by the Proxmox signing + service. + Package: pve-kernel-libc-dev Section: devel Priority: optional diff --git a/debian/rules b/debian/rules index 7b7d5fb..1d64c63 100755 --- a/debian/rules +++ b/debian/rules @@ -18,6 +18,8 @@ PVE_KERNEL_PKG=pve-kernel-${KVNAME} PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym PVE_HEADER_PKG=pve-headers-${KVNAME} PVE_USR_HEADER_PKG=pve-kernel-libc-dev +PVE_KERNEL_SIGNING_TEMPLATE_PKG=pve-kernel-${KVNAME}-signed-template +PVE_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/') LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN} KERNEL_SRC_COPY=${KERNEL_SRC}_tmp @@ -109,6 +111,17 @@ debian/control: $(wildcard debian/*.in) # combine trusted certificates cat debian/certs/*.pem > debian/certs/combined.pem + # signing-template + sed -e '1 s/pve-kernel/pve-kernel-signed/' -e '1 s/${DEB_VERSION}/${PVE_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog + sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control + sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json + sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/signing-template/prerm + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/signing-template/postrm + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/signing-template/postinst + rm debian/signing-template/*.in + cp debian/SOURCE debian/signing-template/ + build: .compile_mark .tools_compile_mark .modules_compile_mark install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark @@ -187,6 +200,22 @@ endif cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build + + # copy signing template contents + rm -rf debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG} + mkdir -p debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian + cp -R debian/copyright \ + debian/signing-template/rules \ + debian/signing-template/control \ + debian/signing-template/source \ + debian/signing-template/changelog \ + debian/signing-template/prerm \ + debian/signing-template/postrm \ + debian/signing-template/postinst \ + debian/signing-template/SOURCE \ + debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian + cp debian/signing-template/files.json debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/ + touch $@ .tools_compile_mark: .compile_mark diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in new file mode 100644 index 0000000..25901bc --- /dev/null +++ b/debian/signing-template/control.in @@ -0,0 +1,25 @@ +Source: pve-kernel-signed +Section: kernel +Priority: optional +Maintainer: Proxmox Support Team +Standards-Version: 4.2.0 +Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, pve-kernel-@KVNAME@ (= @UNSIGNED_VERSION@) +Rules-Requires-Root: no +Vcs-Git: git://git.proxmox.com/git/pve-kernel +Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git + +Package: pve-kernel-@KVNAME@-signed +Section: admin +Priority: optional +Architecture: any +Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@ +Depends: ${unsigned:Depends}, ${misc:Depends} +Recommends: ${unsigned:Recommends} +Suggests: ${unsigned:Suggests} +Breaks: ${unsigned:Breaks} +Conflicts: pve-kernel-@KVNAME@ +Replaces: pve-kernel-@KVNAME@ +Description: ${unsigned:DescriptionShort} (signed) + ${unsigned:DescriptionLong} + . + This package contains the kernel image signed by the Proxmox Secure Boot CA. diff --git a/debian/signing-template/files.json.in b/debian/signing-template/files.json.in new file mode 100644 index 0000000..6166aa7 --- /dev/null +++ b/debian/signing-template/files.json.in @@ -0,0 +1,13 @@ +{ + "packages": { + "pve-kernel-@KVNAME@": { + "trusted_certs": [], + "files": [ + { + "sig_type": "efi", + "file": "boot/vmlinuz-@KVNAME@" + } + ] + } + } +} diff --git a/debian/signing-template/rules.in b/debian/signing-template/rules.in new file mode 100644 index 0000000..1544cc1 --- /dev/null +++ b/debian/signing-template/rules.in @@ -0,0 +1,58 @@ +#!/usr/bin/make -f + +SHELL := bash -e + +export DH_OPTIONS + +include /usr/share/dpkg/architecture.mk + +KERNEL_VERSION=@KVNAME@ +IMAGE_PACKAGE_NAME=pve-kernel-$(KERNEL_VERSION) +PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed +PACKAGE_VERSION=@PKG_VERSION@ +PACKAGE_DIR=debian/$(PACKAGE_NAME) +SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME} + +build: build-arch build-indep +build-arch: +build-indep: + +clean: + dh_testdir + dh_clean + +binary: binary-arch binary-indep +binary-arch: + dh_testdir + mkdir -p $(PACKAGE_DIR)/boot + rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/ + if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ + sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ + $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + else \ + echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \ + false; \ + fi + mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION) + rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/ + mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/ + cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/ + dh_install + dh_installchangelogs + dh_installdocs -A debian/copyright debian/SOURCE + dh_lintian + dh_compress + dh_fixperms + dh_installdeb + # Copy most package relations and description from unsigned package + for field in Depends Suggests Recommends Breaks; do \ + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \ + done + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)" + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')" + dh_gencontrol -- -v$(PACKAGE_VERSION) + dh_md5sums + dh_builddeb +binary-indep: + +.PHONY: build build-arch build-indep clean binary binary-arch binary-indep diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/signing-template/source/format @@ -0,0 +1 @@ +3.0 (native)