starlingx/kernel
Code Issues Proposed changes

Debian: add init version for kernel-std/rt-signed

Browse Source 
kernel-std-signed is used to create the signed kernel package
(linux-image-5.10.0-6-amd64) and 2 common packages
(linux-image-amd64 and linux-headers-amd64) without the abi version
in package name.

The process of building kernel-std-signed is as below
(following debian):

(1) Build kernel-std.
When we build kernel-std, linux-image-amd64-signed-template package
is created. It contains both a debian folder for building
kernel-std-signed later and the information of files which maybe need
signatures in the unsigned kernel package
linux-image-5.10.0-6-amd64-unsigned.

(2) Run script to sign kernel image file.
This script can be customized according to different requests.
e.g. I use the script debian-test-sign from debian
(https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/
scripts/debian-test-sign) and adjust it according to our needs.
This script's input is the output files of building kernel-std:
linux_*_amd64.changes;
linux-image-amd64-signed-template_*_amd64.deb;
linux-image-5.10.0-6-amd64-unsigned_*_amd64.deb.
This script's output is 2 files put at kernel-std's output path
(/localdisk/loadbuild/*/stx/std/kernel-std):
linux-signed-amd64_*.dsc;
linux-signed-amd64_*.tar.xz.
The 2nd file contains a debian folder for building kernel-std-signed
and the signature for kernel image file.

(3) Build kernel-std-signed
Get the debian folder from linux-signed-amd64_*.tar.xz and build
3 pkgs:
linux-image-5.10.0-6-amd64;
linux-image-amd64;
linux-headers-amd64.
linux-image-5.10.0-6-amd64's difference with
linux-image-5.10.0-6-amd64-unsigned is that it contains kernel
image's signature.

Please pay attention to what has been changed vs. debian
in this process:

(1) Because we don't follow the debian secure boot process and follow
LAT(wrlinux) secure boot process, I need to adjust the script
debian-test-sign to do the signing and also need to adjust the debian
folder for building kernel-std-signed.
Their differences are:
LAT uses gpg and debian uses sbsign for signing kernel image;
LAT puts vmlinuz image at a different path from debian package.
Path of kernel image (vmlinuz-5.10.0-6-amd64) in signed kernel
package is /boot/, while LAT puts it at /boot/X/vmlinuz
("X" is variable and can be found in the BOOT_IMAGE setting
in /proc/cmdline).
Need to copy the kernel image and its sig file to the path that LAT uses
after installing signed kernel package (linux-image-5.10.0-6-amd64).
Extra lines are added in the pkg's postinst script for this.

(2) Another change is that we need not care about signing modules
here because we have signed them when building kernel-std and oot
kernel-modules.

kernel-rt-signed has a similar set of above things.

Test plan:
 - PASS: Build kernel-std and its oot kernel-modules;
         Run script to sign kernel image file;
         Build kernel-std-signed;
         Change code to install linux-image-5.10.0-6-amd64 instead
         of linux-image-5.10.0-6-amd64-unsigned and build image.
         Boot up qemu with secure boot enabled.
         Scp newer linux-image-5.10.0-6-amd64 pkg onto qemu and use
         dpkg to install it. Reboot successfully.
 - PASS: Do above tests for kernel-rt-signed too.

Story: 2009221
Task: 45167

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I3ddb99b238793204a6127c7746e14be0e8097c9a
This commit is contained in:
Li Zhou 2022-04-25 05:39:03 -04:00
parent ea564decda
commit 4f3e32ce75
10 changed files with 282 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch Normal file
View File

@ -0,0 +1,34 @@
From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Wed, 20 Apr 2022 11:29:54 +0800
Subject: [PATCH] linux-signed: adapt signing according to LAT
STX debian project's secure boot process doesn't follow DEBIAN
process and follows LAT (wrlinux) process. It use gpg to sign
kernel image instead of sbsign. So replace the sbsign in rules.real
with installing vmlinuz.sig onto rootfs. That is because DEBIAN
secure boot use the signed kernel image while LAT secure boot
use a separate sig file for gpg verification of kernel image.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/rules.real | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/debian/rules.real b/debian/rules.real
index 23df05c..f6bb8ac 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -14,8 +14,7 @@ install-signed:
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
$(PACKAGE_DIR)/boot/
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
else \
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
--
2.17.1

1
kernel-signed/kernel-rt-signed/debian/deb_patches/series Normal file
View File

@ -0,0 +1 @@
0001-linux-signed-adapt-signing-according-to-LAT.patch

52
kernel-signed/kernel-rt-signed/debian/dl_hook Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# The only parameter is the name of the folder where the source code
# is extracted to. Pay attention to that the extracted package should
# be put at the same path where this script is located.
# Tools needed: tar/sed
mkdir "$1"
cd "$1" || exit 1
file_debian=(../../linux-rt/linux-signed-*.tar.xz)
if [ ! -f "${file_debian}" ]
then
echo "Please create signatures first (e.g. use debian-test-sign)!"
exit 1
fi
cp "${file_debian}" ./
if ! tar xvf linux-signed-*.tar.xz;
then
echo "Tar failed to decompress the source code for this pkg!"
exit 1
fi
mv ./source-template/debian ./debian
rmdir source-template
# Add extra functions in image pkg's postinst to follow LAT secure boot
cd debian || exit 1
cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
kernel-rt-signed/debian/linux-rt-image.postinst.extra ./
# Remove the end line ( "exit 0" ) in the init script
sed -i '$d' linux-rt-image-*.postinst
cat linux-rt-image.postinst.extra >> linux-rt-image-*.postinst

47
kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra Normal file
View File

@ -0,0 +1,47 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
echo "Signed kernel package: ${change}"
# LAT will deal with below when install.
if [ "${change}" = "install" ]
then
exit 0
fi
# Update image/sig to the right path when upgrade.
cmdline=$(cat /proc/cmdline)
cmdline=${cmdline#*BOOT_IMAGE=}
boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
boot_image_path=${boot_image%/*}
if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
then
echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
exit 1
fi
if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
then
echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
exit 1
fi
echo "Updated vmlinuz and vmlinuz.sig!"
exit 0

7
kernel-signed/kernel-rt-signed/debian/meta_data.yaml Normal file
View File

@ -0,0 +1,7 @@
---
debver: 5.10.99
debname: kernel-rt-signed
dl_hook: dl_hook
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true

34
kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch Normal file
View File

@ -0,0 +1,34 @@
From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Wed, 20 Apr 2022 11:29:54 +0800
Subject: [PATCH] linux-signed: adapt signing according to LAT
STX debian project's secure boot process doesn't follow DEBIAN
process and follows LAT (wrlinux) process. It use gpg to sign
kernel image instead of sbsign. So replace the sbsign in rules.real
with installing vmlinuz.sig onto rootfs. That is because DEBIAN
secure boot use the signed kernel image while LAT secure boot
use a separate sig file for gpg verification of kernel image.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/rules.real | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/debian/rules.real b/debian/rules.real
index 23df05c..f6bb8ac 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -14,8 +14,7 @@ install-signed:
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
$(PACKAGE_DIR)/boot/
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
- sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
- $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+ dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
else \
echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
--
2.17.1

1
kernel-signed/kernel-std-signed/debian/deb_patches/series Normal file
View File

@ -0,0 +1 @@
0001-linux-signed-adapt-signing-according-to-LAT.patch

52
kernel-signed/kernel-std-signed/debian/dl_hook Executable file
View File

@ -0,0 +1,52 @@
#!/bin/bash
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
# The only parameter is the name of the folder where the source code
# is extracted to. Pay attention to that the extracted package should
# be put at the same path where this script is located.
# Tools needed: tar/sed
mkdir "$1"
cd "$1" || exit 1
file_debian=(../../linux/linux-signed-*.tar.xz)
if [ ! -f "${file_debian}" ]
then
echo "Please create signatures first (e.g. use debian-test-sign)!"
exit 1
fi
cp "${file_debian}" ./
if ! tar xvf linux-signed-*.tar.xz;
then
echo "Tar failed to decompress the source code for this pkg!"
exit 1
fi
mv ./source-template/debian ./debian
rmdir source-template
# Add extra functions in image pkg's postinst to follow LAT secure boot
cd debian || exit 1
cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
kernel-std-signed/debian/linux-image.postinst.extra ./
# Remove the end line ( "exit 0" ) in the init script
sed -i '$d' linux-image-*.postinst
cat linux-image.postinst.extra >> linux-image-*.postinst

47
kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra Normal file
View File

@ -0,0 +1,47 @@
#
# Copyright (c) 2022 Wind River Systems, Inc.
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. The ASF licenses this
# file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
echo "Signed kernel package: ${change}"
# LAT will deal with below when install.
if [ "${change}" = "install" ]
then
exit 0
fi
# Update image/sig to the right path when upgrade.
cmdline=$(cat /proc/cmdline)
cmdline=${cmdline#*BOOT_IMAGE=}
boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
boot_image_path=${boot_image%/*}
if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
then
echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
exit 1
fi
if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
then
echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
exit 1
fi
echo "Updated vmlinuz and vmlinuz.sig!"
exit 0

7
kernel-signed/kernel-std-signed/debian/meta_data.yaml Normal file
View File

@ -0,0 +1,7 @@
---
debver: 5.10.99
debname: kernel-std-signed
dl_hook: dl_hook
revision:
dist: $STX_DIST
PKG_GITREVCOUNT: true