PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-e CONFIG_SYSFB_SIMPLEFB \
-e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
-d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_HYPERV \
-m CONFIG_VFIO_IOMMU_TYPE1 \
--m CONFIG_VFIO_VIRQFD \
+-e CONFIG_VFIO_VIRQFD \
-m CONFIG_VFIO \
-m CONFIG_VFIO_PCI \
-m CONFIG_USB_XHCI_HCD \
-e CONFIG_UNWINDER_FRAME_POINTER \
--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
--e CONFIG_PAGE_TABLE_ISOLATION
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
+-e CONFIG_PAGE_TABLE_ISOLATION \
+-e CONFIG_ARCH_HAS_CPU_FINALIZE_INIT \
+-d CONFIG_GDS_FORCE_MITIGATION \
+-d CONFIG_WQ_CPU_INTENSIVE_REPORT \
+-d UBSAN_BOUNDS \
debian/control: $(wildcard debian/*.in)
sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
chmod +x debian/$(PMX_HEADER_PKG).postinst
sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+ # signing-template
+ sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+ sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+ sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+ sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+ rm debian/signing-template/*.in
+ cp debian/SOURCE debian/signing-template/
+
build: .compile_mark .tools_compile_mark .modules_compile_mark
install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
.config_mark:
cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
- $(MAKE) -C $(KERNEL_SRC) oldconfig
+ $(MAKE) -C $(KERNEL_SRC) olddefconfig
# copy to allow building in parallel to kernel/module compilation without interference
rm -rf $(KERNEL_SRC_COPY)
cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
$(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
# install zfs drivers
install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
- install -m 644 $(addprefix $(MODULES)/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
+ install -m 644 $(MODULES)/zfs.ko $(MODULES)/spl.ko debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
# remove firmware
rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware
# strip debug info
find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+ # sign modules using ephemeral, embedded key
+ if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+ find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+ ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+ done; \
+ rm ./ubuntu-kernel/certs/signing_key.pem ; \
+ fi
# finalize
/sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
# Autogenerate blacklist for watchdog devices (see README)
cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+ # copy signing template contents
+ rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+ mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+ cp -R debian/copyright \
+ debian/signing-template/rules \
+ debian/signing-template/control \
+ debian/signing-template/source \
+ debian/signing-template/changelog \
+ debian/signing-template/prerm \
+ debian/signing-template/postrm \
+ debian/signing-template/postinst \
+ debian/signing-template/SOURCE \
+ debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+ cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
touch $@
.tools_compile_mark: .compile_mark
- $(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
+ $(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr NO_LIBTRACEEVENT=1 HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
- $(MAKE) -C $(KERNEL_SRC)/tools/perf man
+ $(MAKE) -C $(KERNEL_SRC)/tools/perf NO_LIBTRACEEVENT=1 man
touch $@
.tools_install_mark: .tools_compile_mark
cd $(MODULES)/$(ZFSDIR); ./autogen.sh
cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
$(MAKE) -C $(MODULES)/$(ZFSDIR)
- cp $(MODULES)/$(ZFSDIR)/module/avl/zavl.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/nvpair/znvpair.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/unicode/zunicode.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/zcommon/zcommon.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/icp/icp.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/zfs/zfs.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/lua/zlua.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/spl/spl.ko $(MODULES)/
- cp $(MODULES)/$(ZFSDIR)/module/zstd/zzstd.ko $(MODULES)/
+ cp $(MODULES)/$(ZFSDIR)/module/zfs.ko $(MODULES)/
+ cp $(MODULES)/$(ZFSDIR)/module/spl.ko $(MODULES)/
fwlist-$(KVNAME): .compile_mark .modules_compile_mark
debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp