Debian: add init version for kernel-std/rt-signed

kernel-std-signed is used to create the signed kernel package
(linux-image-5.10.0-6-amd64) and 2 common packages
(linux-image-amd64 and linux-headers-amd64) without the abi version
in package name.

The process of building kernel-std-signed is as below
(following debian):

(1) Build kernel-std.
When we build kernel-std, linux-image-amd64-signed-template package
is created. It contains both a debian folder for building
kernel-std-signed later and the information of files which maybe need
signatures in the unsigned kernel package
linux-image-5.10.0-6-amd64-unsigned.

(2) Run script to sign kernel image file.
This script can be customized according to different requests.
e.g. I use the script debian-test-sign from debian
(https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/
scripts/debian-test-sign) and adjust it according to our needs.
This script's input is the output files of building kernel-std:
linux_*_amd64.changes;
linux-image-amd64-signed-template_*_amd64.deb;
linux-image-5.10.0-6-amd64-unsigned_*_amd64.deb.
This script's output is 2 files put at kernel-std's output path
(/localdisk/loadbuild/*/stx/std/kernel-std):
linux-signed-amd64_*.dsc;
linux-signed-amd64_*.tar.xz.
The 2nd file contains a debian folder for building kernel-std-signed
and the signature for kernel image file.

(3) Build kernel-std-signed
Get the debian folder from linux-signed-amd64_*.tar.xz and build
3 pkgs:
linux-image-5.10.0-6-amd64;
linux-image-amd64;
linux-headers-amd64.
linux-image-5.10.0-6-amd64's difference with
linux-image-5.10.0-6-amd64-unsigned is that it contains kernel
image's signature.

Please pay attention to what has been changed vs. debian
in this process:

(1) Because we don't follow the debian secure boot process and follow
LAT(wrlinux) secure boot process, I need to adjust the script
debian-test-sign to do the signing and also need to adjust the debian
folder for building kernel-std-signed.
Their differences are:
LAT uses gpg and debian uses sbsign for signing kernel image;
LAT puts vmlinuz image at a different path from debian package.
Path of kernel image (vmlinuz-5.10.0-6-amd64) in signed kernel
package is /boot/, while LAT puts it at /boot/X/vmlinuz
("X" is variable and can be found in the BOOT_IMAGE setting
in /proc/cmdline).
Need to copy the kernel image and its sig file to the path that LAT uses
after installing signed kernel package (linux-image-5.10.0-6-amd64).
Extra lines are added in the pkg's postinst script for this.

(2) Another change is that we need not care about signing modules
here because we have signed them when building kernel-std and oot
kernel-modules.

kernel-rt-signed has a similar set of above things.

Test plan:
 - PASS: Build kernel-std and its oot kernel-modules;
         Run script to sign kernel image file;
         Build kernel-std-signed;
         Change code to install linux-image-5.10.0-6-amd64 instead
         of linux-image-5.10.0-6-amd64-unsigned and build image.
         Boot up qemu with secure boot enabled.
         Scp newer linux-image-5.10.0-6-amd64 pkg onto qemu and use
         dpkg to install it. Reboot successfully.
 - PASS: Do above tests for kernel-rt-signed too.

Story: 2009221
Task: 45167

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I3ddb99b238793204a6127c7746e14be0e8097c9a

kernel-signed/kernel-rt-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch

@@ -0,0 +1,34 @@
+From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Wed, 20 Apr 2022 11:29:54 +0800
+Subject: [PATCH] linux-signed: adapt signing according to LAT
+
+STX debian project's secure boot process doesn't follow DEBIAN
+process and follows LAT (wrlinux) process. It use gpg to sign
+kernel image instead of sbsign. So replace the sbsign in rules.real
+with installing vmlinuz.sig onto rootfs. That is because DEBIAN
+secure boot use the signed kernel image while LAT secure boot
+use a separate sig file for gpg verification of kernel image.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules.real | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/debian/rules.real b/debian/rules.real
+index 23df05c..f6bb8ac 100644
+--- a/debian/rules.real
++++ b/debian/rules.real
+@@ -14,8 +14,7 @@ install-signed:
+ 	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ 		$(PACKAGE_DIR)/boot/
+ 	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
++		dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
+ 	else \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
+-- 
+2.17.1
+

kernel-signed/kernel-rt-signed/debian/deb_patches/series

@@ -0,0 +1 @@
+0001-linux-signed-adapt-signing-according-to-LAT.patch

kernel-signed/kernel-rt-signed/debian/dl_hook

@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# The only parameter is the name of the folder where the source code
+# is extracted to. Pay attention to that the extracted package should
+# be put at the same path where this script is located.
+# Tools needed: tar/sed
+
+mkdir "$1"
+cd "$1" || exit 1
+
+file_debian=(../../linux-rt/linux-signed-*.tar.xz)
+if [ ! -f "${file_debian}" ]
+then
+    echo "Please create signatures first (e.g. use debian-test-sign)!"
+    exit 1
+fi
+cp "${file_debian}" ./
+
+if ! tar xvf linux-signed-*.tar.xz;
+then
+    echo "Tar failed to decompress the source code for this pkg!"
+    exit 1
+fi
+
+mv ./source-template/debian ./debian
+rmdir source-template
+
+# Add extra functions in image pkg's postinst to follow LAT secure boot
+cd debian || exit 1
+cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
+kernel-rt-signed/debian/linux-rt-image.postinst.extra ./
+# Remove the end line ( "exit 0" ) in the init script
+sed -i '$d' linux-rt-image-*.postinst
+cat linux-rt-image.postinst.extra >> linux-rt-image-*.postinst

kernel-signed/kernel-rt-signed/debian/linux-rt-image.postinst.extra

@@ -0,0 +1,47 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+echo "Signed kernel package: ${change}"
+
+# LAT will deal with below when install.
+if [ "${change}" = "install" ]
+then
+    exit 0
+fi
+
+# Update image/sig to the right path when upgrade.
+cmdline=$(cat /proc/cmdline)
+cmdline=${cmdline#*BOOT_IMAGE=}
+boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
+boot_image_path=${boot_image%/*}
+
+if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
+then
+    echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
+    exit 1
+fi
+
+if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
+then
+    echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
+    exit 1
+fi
+
+echo "Updated vmlinuz and vmlinuz.sig!"
+exit 0

kernel-signed/kernel-rt-signed/debian/meta_data.yaml

@@ -0,0 +1,7 @@
+---
+debver: 5.10.99
+debname: kernel-rt-signed
+dl_hook: dl_hook
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true

kernel-signed/kernel-std-signed/debian/deb_patches/0001-linux-signed-adapt-signing-according-to-LAT.patch

@@ -0,0 +1,34 @@
+From feb5ea7b15fc7c61cd7048da309b50a0da2d6102 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Wed, 20 Apr 2022 11:29:54 +0800
+Subject: [PATCH] linux-signed: adapt signing according to LAT
+
+STX debian project's secure boot process doesn't follow DEBIAN
+process and follows LAT (wrlinux) process. It use gpg to sign
+kernel image instead of sbsign. So replace the sbsign in rules.real
+with installing vmlinuz.sig onto rootfs. That is because DEBIAN
+secure boot use the signed kernel image while LAT secure boot
+use a separate sig file for gpg verification of kernel image.
+
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ debian/rules.real | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/debian/rules.real b/debian/rules.real
+index 23df05c..f6bb8ac 100644
+--- a/debian/rules.real
++++ b/debian/rules.real
+@@ -14,8 +14,7 @@ install-signed:
+ 	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
+ 		$(PACKAGE_DIR)/boot/
+ 	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
++		dh_install $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig /boot/; \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
+ 	else \
+ 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
+-- 
+2.17.1
+

kernel-signed/kernel-std-signed/debian/deb_patches/series

@@ -0,0 +1 @@
+0001-linux-signed-adapt-signing-according-to-LAT.patch

kernel-signed/kernel-std-signed/debian/dl_hook

@@ -0,0 +1,52 @@
+#!/bin/bash
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# The only parameter is the name of the folder where the source code
+# is extracted to. Pay attention to that the extracted package should
+# be put at the same path where this script is located.
+# Tools needed: tar/sed
+
+mkdir "$1"
+cd "$1" || exit 1
+
+file_debian=(../../linux/linux-signed-*.tar.xz)
+if [ ! -f "${file_debian}" ]
+then
+    echo "Please create signatures first (e.g. use debian-test-sign)!"
+    exit 1
+fi
+cp "${file_debian}" ./
+
+if ! tar xvf linux-signed-*.tar.xz;
+then
+    echo "Tar failed to decompress the source code for this pkg!"
+    exit 1
+fi
+
+mv ./source-template/debian ./debian
+rmdir source-template
+
+# Add extra functions in image pkg's postinst to follow LAT secure boot
+cd debian || exit 1
+cp "${MY_REPO_ROOT_DIR}"/cgcs-root/stx/kernel/kernel-signed/\
+kernel-std-signed/debian/linux-image.postinst.extra ./
+# Remove the end line ( "exit 0" ) in the init script
+sed -i '$d' linux-image-*.postinst
+cat linux-image.postinst.extra >> linux-image-*.postinst

kernel-signed/kernel-std-signed/debian/linux-image.postinst.extra

@@ -0,0 +1,47 @@
+#
+# Copyright (c) 2022 Wind River Systems, Inc.
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. The ASF licenses this
+# file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+echo "Signed kernel package: ${change}"
+
+# LAT will deal with below when install.
+if [ "${change}" = "install" ]
+then
+    exit 0
+fi
+
+# Update image/sig to the right path when upgrade.
+cmdline=$(cat /proc/cmdline)
+cmdline=${cmdline#*BOOT_IMAGE=}
+boot_image=$(echo "${cmdline}" | cut -d' ' -f 1)
+boot_image_path=${boot_image%/*}
+
+if ! cp /boot/vmlinuz-"${version}" /boot/"${boot_image}";
+then
+    echo "FAIL: cp /boot/vmlinuz-${version} /boot/${boot_image}"
+    exit 1
+fi
+
+if ! cp /boot/vmlinuz-"${version}".sig /boot/"${boot_image_path}"/vmlinuz.sig;
+then
+    echo "FAIL: cp /boot/vmlinuz-${version}.sig /boot/${boot_image_path}/vmlinuz.sig"
+    exit 1
+fi
+
+echo "Updated vmlinuz and vmlinuz.sig!"
+exit 0

kernel-signed/kernel-std-signed/debian/meta_data.yaml

@@ -0,0 +1,7 @@
+---
+debver: 5.10.99
+debname: kernel-std-signed
+dl_hook: dl_hook
+revision:
+  dist: $STX_DIST
+  PKG_GITREVCOUNT: true