]> git.proxmox.com Git - pve-kernel.git/blob - debian/rules
projects / pve-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
build: sign modules and set trust anchor/lockdown
[pve-kernel.git] / debian / rules
1 #!/usr/bin/make -f
2 # -*- makefile -*-
3
4 # Uncomment this to turn on verbose mode.
5 #export DH_VERBOSE=1
6
7 # TODO: check for headers not being installed
8 BUILD_DIR=$(shell pwd)
9
10 include /usr/share/dpkg/default.mk
11 include debian/rules.d/env.mk
12 include debian/rules.d/$(DEB_BUILD_ARCH).mk
13
14 MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))
15
16 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
17 CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)
18
19 PMX_KERNEL_PKG=proxmox-kernel-$(KVNAME)
20 PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
21 PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
22 PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
23 PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
24 LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
25 KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
26
27 # TODO: split for archs, move to files?
28 PMX_CONFIG_OPTS= \
29 -m INTEL_MEI_WDT \
30 -d CONFIG_SND_PCM_OSS \
31 -e CONFIG_TRANSPARENT_HUGEPAGE_MADVISE \
32 -d CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS \
33 -m CONFIG_CEPH_FS \
34 -m CONFIG_BLK_DEV_NBD \
35 -m CONFIG_BLK_DEV_RBD \
36 -m CONFIG_BLK_DEV_UBLK \
37 -d CONFIG_SND_PCSP \
38 -m CONFIG_BCACHE \
39 -m CONFIG_JFS_FS \
40 -m CONFIG_HFS_FS \
41 -m CONFIG_HFSPLUS_FS \
42 -e CIFS_SMB_DIRECT \
43 -e CONFIG_SQUASHFS_DECOMP_MULTI_PERCPU \
44 -e CONFIG_BRIDGE \
45 -e CONFIG_BRIDGE_NETFILTER \
46 -e CONFIG_BLK_DEV_SD \
47 -e CONFIG_BLK_DEV_SR \
48 -e CONFIG_BLK_DEV_DM \
49 -m CONFIG_BLK_DEV_NVME \
50 -e CONFIG_NLS_ISO8859_1 \
51 -d CONFIG_INPUT_EVBUG \
52 -d CONFIG_CPU_FREQ_DEFAULT_GOV_ONDEMAND \
53 -d CONFIG_CPU_FREQ_DEFAULT_GOV_SCHEDUTIL \
54 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
55 -e CONFIG_SYSFB_SIMPLEFB \
56 -e CONFIG_DRM_SIMPLEDRM \
57 -e CONFIG_MODULE_SIG \
58 -e CONFIG_MODULE_SIG_ALL \
59 -e CONFIG_MODULE_SIG_FORMAT \
60 --set-str CONFIG_MODULE_SIG_HASH sha512 \
61 --set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
62 -e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
63 -e CONFIG_MODULE_SIG_SHA512 \
64 -d CONFIG_MEMCG_DISABLED \
65 -e CONFIG_MEMCG_SWAP_ENABLED \
66 -e CONFIG_HYPERV \
67 -m CONFIG_VFIO_IOMMU_TYPE1 \
68 -m CONFIG_VFIO_VIRQFD \
69 -m CONFIG_VFIO \
70 -m CONFIG_VFIO_PCI \
71 -m CONFIG_USB_XHCI_HCD \
72 -m CONFIG_USB_XHCI_PCI \
73 -m CONFIG_USB_EHCI_HCD \
74 -m CONFIG_USB_EHCI_PCI \
75 -m CONFIG_USB_EHCI_HCD_PLATFORM \
76 -m CONFIG_USB_OHCI_HCD \
77 -m CONFIG_USB_OHCI_HCD_PCI \
78 -m CONFIG_USB_OHCI_HCD_PLATFORM \
79 -d CONFIG_USB_OHCI_HCD_SSB \
80 -m CONFIG_USB_UHCI_HCD \
81 -d CONFIG_USB_SL811_HCD_ISO \
82 -e CONFIG_MEMCG_KMEM \
83 -d CONFIG_DEFAULT_CFQ \
84 -e CONFIG_DEFAULT_DEADLINE \
85 -e CONFIG_MODVERSIONS \
86 -e CONFIG_ZSTD_COMPRESS \
87 -d CONFIG_DEFAULT_SECURITY_DAC \
88 -e CONFIG_DEFAULT_SECURITY_APPARMOR \
89 --set-str CONFIG_DEFAULT_SECURITY apparmor \
90 -e CONFIG_MODULE_ALLOW_BTF_MISMATCH \
91 -d CONFIG_UNWINDER_ORC \
92 -d CONFIG_UNWINDER_GUESS \
93 -e CONFIG_UNWINDER_FRAME_POINTER \
94 --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
95 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
96 -e CONFIG_SECURITY_LOCKDOWN_LSM \
97 -e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
98 --set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
99 -e CONFIG_PAGE_TABLE_ISOLATION
100
101 debian/control: $(wildcard debian/*.in)
102 sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PMX_KERNEL_PKG).prerm
103 sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PMX_KERNEL_PKG).postrm
104 sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PMX_KERNEL_PKG).postinst
105 sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PMX_HEADER_PKG).postinst
106 sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PMX_KERNEL_SERIES_PKG).postrm
107 sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PMX_KERNEL_SERIES_PKG).postinst
108 chmod +x debian/$(PMX_KERNEL_PKG).prerm
109 chmod +x debian/$(PMX_KERNEL_PKG).postrm
110 chmod +x debian/$(PMX_KERNEL_PKG).postinst
111 chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postrm
112 chmod +x debian/$(PMX_KERNEL_SERIES_PKG).postinst
113 chmod +x debian/$(PMX_HEADER_PKG).postinst
114 sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
115
116 build: .compile_mark .tools_compile_mark .modules_compile_mark
117
118 install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
119 dh_installdocs -A debian/copyright debian/SOURCE
120 dh_installchangelogs
121 dh_installman
122 dh_strip_nondeterminism
123 dh_compress
124 dh_fixperms
125
126 binary: install
127 debian/rules fwcheck abicheck
128 dh_strip -N$(PMX_HEADER_PKG) -N$(PMX_USR_HEADER_PKG)
129 dh_makeshlibs
130 dh_shlibdeps
131 dh_installdeb
132 dh_gencontrol
133 dh_md5sums
134 dh_builddeb
135
136 .config_mark:
137 cd $(KERNEL_SRC); scripts/config $(PMX_CONFIG_OPTS)
138 $(MAKE) -C $(KERNEL_SRC) oldconfig
139 # copy to allow building in parallel to kernel/module compilation without interference
140 rm -rf $(KERNEL_SRC_COPY)
141 cp -ar $(KERNEL_SRC) $(KERNEL_SRC_COPY)
142 touch $@
143
144 .compile_mark: .config_mark
145 $(MAKE) -C $(KERNEL_SRC) KBUILD_BUILD_VERSION_TIMESTAMP="PMX $(DEB_VERSION) ($(CHANGELOG_DATE_UTC_ISO))"
146 touch $@
147
148 .install_mark: .compile_mark .modules_compile_mark
149 rm -rf debian/$(PMX_KERNEL_PKG)
150 mkdir -p debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)
151 mkdir debian/$(PMX_KERNEL_PKG)/boot
152 install -m 644 $(KERNEL_SRC)/.config debian/$(PMX_KERNEL_PKG)/boot/config-$(KVNAME)
153 install -m 644 $(KERNEL_SRC)/System.map debian/$(PMX_KERNEL_PKG)/boot/System.map-$(KVNAME)
154 install -m 644 $(KERNEL_SRC)/$(KERNEL_IMAGE_PATH) debian/$(PMX_KERNEL_PKG)/boot/$(KERNEL_INSTALL_FILE)-$(KVNAME)
155 $(MAKE) -C $(KERNEL_SRC) INSTALL_MOD_PATH=$(BUILD_DIR)/debian/$(PMX_KERNEL_PKG)/ modules_install
156 # install zfs drivers
157 install -d -m 0755 debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
158 install -m 644 $(addprefix $(MODULES)/,zfs.ko zavl.ko znvpair.ko zunicode.ko zcommon.ko icp.ko zlua.ko spl.ko zzstd.ko) debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/zfs
159 # remove firmware
160 rm -rf debian/$(PMX_KERNEL_PKG)/lib/firmware
161
162 ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
163 echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
164 else
165 echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
166 mkdir -p debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
167 mkdir debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
168 install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
169 cp -r debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/
170 rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/source
171 rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/build
172 rm -f debian/$(PMX_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)/modules.*
173 endif
174
175 # strip debug info
176 find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
177
178 # sign modules using ephemeral, embedded key
179 if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
180 find debian/$(PMX_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
181 ./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
182 done; \
183 rm ./ubuntu-kernel/certs/signing_key.pem ; \
184 fi
185 # finalize
186 /sbin/depmod -b debian/$(PMX_KERNEL_PKG)/ $(KVNAME)
187 # Autogenerate blacklist for watchdog devices (see README)
188 install -m 0755 -d debian/$(PMX_KERNEL_PKG)/lib/modprobe.d
189 ls debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/kernel/drivers/watchdog/ > watchdog-blacklist.tmp
190 echo ipmi_watchdog.ko >> watchdog-blacklist.tmp
191 cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
192 rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
193 rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
194 touch $@
195
196 .tools_compile_mark: .compile_mark
197 $(MAKE) -C $(KERNEL_SRC)/tools/perf prefix=/usr HAVE_NO_LIBBFD=1 HAVE_CPLUS_DEMANGLE_SUPPORT=1 NO_LIBPYTHON=1 NO_LIBPERL=1 NO_LIBCRYPTO=1 PYTHON=python3
198 echo "checking GPL-2 only perf binary for library linkage with incompatible licenses.."
199 ! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibbfd'
200 ! ldd $(KERNEL_SRC)/tools/perf/perf | grep -q -E '\blibcrypto'
201 $(MAKE) -C $(KERNEL_SRC)/tools/perf man
202 touch $@
203
204 .tools_install_mark: .tools_compile_mark
205 rm -rf debian/$(LINUX_TOOLS_PKG)
206 mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/bin
207 mkdir -p debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1
208 install -m 755 $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/perf debian/$(LINUX_TOOLS_PKG)/usr/bin/perf_$(KERNEL_MAJMIN)
209 for i in $(BUILD_DIR)/$(KERNEL_SRC)/tools/perf/Documentation/*.1; do \
210 fname="$${i##*/}"; manname="$${fname%.1}"; \
211 install -m644 "$$i" "debian/$(LINUX_TOOLS_PKG)/usr/share/man/man1/$${manname}_$(KERNEL_MAJMIN).1"; \
212 done
213 touch $@
214
215 .headers_prepare_mark: .config_mark
216 rm -rf debian/$(PMX_HEADER_PKG)
217 mkdir -p debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
218 install -m 0644 $(KERNEL_SRC)/.config debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
219 make -C $(KERNEL_SRC_COPY) mrproper
220 cd $(KERNEL_SRC_COPY); find . -path './debian/*' -prune \
221 -o -path './include/*' -prune \
222 -o -path './Documentation' -prune \
223 -o -path './scripts' -prune \
224 -o -type f \
225 \( \
226 -name 'Makefile*' \
227 -o -name 'Kconfig*' \
228 -o -name 'Kbuild*' \
229 -o -name '*.sh' \
230 -o -name '*.pl' \
231 \) \
232 -print | cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
233 cd $(KERNEL_SRC_COPY); \
234 ( \
235 find arch/$(KERNEL_HEADER_ARCH) -name include -type d -print | \
236 xargs -n1 -i: find : -type f \
237 ) | \
238 cpio -pd --preserve-modification-time $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
239 touch $@
240
241 .headers_compile_mark: .headers_prepare_mark
242 # set output to subdir of source to reduce number of hardcoded paths in output files
243 rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
244 mkdir -p $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)
245 cp $(KERNEL_SRC)/.config $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/.config
246 $(MAKE) -C $(KERNEL_SRC_COPY) O=$(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -j1 syncconfig modules_prepare prepare scripts
247 cd $(KERNEL_SRC_COPY); cp -a include scripts $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
248 find $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG) -name \*.o.ur-\* -o -name '*.cmd' | xargs rm -f
249 rsync --ignore-existing -r -v -a $(addprefix $(BUILD_DIR)/$(KERNEL_SRC_COPY)/$(PMX_HEADER_PKG)/,arch include kernel scripts tools) $(BUILD_DIR)/debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/
250 rm -rf $(BUILD_DIR)/$(KERNEL_SRC_COPY)
251 touch $@
252
253 .headers_install_mark: .compile_mark .modules_compile_mark .headers_compile_mark
254 cp $(KERNEL_SRC)/include/generated/compile.h debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/include/generated/compile.h
255 install -m 0644 $(KERNEL_SRC)/Module.symvers debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)
256 mkdir -p debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)
257 ln -sf /usr/src/linux-headers-$(KVNAME) debian/$(PMX_HEADER_PKG)/lib/modules/$(KVNAME)/build
258 touch $@
259
260 .usr_headers_install_mark: PKG_DIR = debian/$(PMX_USR_HEADER_PKG)
261 .usr_headers_install_mark: OUT_DIR = $(PKG_DIR)/usr
262 .usr_headers_install_mark: .config_mark
263 rm -rf '$(PKG_DIR)'
264 mkdir -p '$(PKG_DIR)'
265 $(MAKE) -C $(KERNEL_SRC) headers_install ARCH=$(KERNEL_HEADER_ARCH) INSTALL_HDR_PATH='$(CURDIR)'/$(OUT_DIR)
266 rm -rf $(OUT_DIR)/include/drm $(OUT_DIR)/include/scsi
267 find $(OUT_DIR)/include \( -name .install -o -name ..install.cmd \) -execdir rm {} +
268
269 # Move include/asm to arch-specific directory
270 mkdir -p $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)
271 mv $(OUT_DIR)/include/asm $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
272 test ! -d $(OUT_DIR)/include/arch || \
273 mv $(OUT_DIR)/include/arch $(OUT_DIR)/include/$(DEB_HOST_MULTIARCH)/
274 touch $@
275
276 .modules_compile_mark: $(MODULES)/zfs.ko
277 touch $@
278
279 $(MODULES)/zfs.ko: .compile_mark
280 cd $(MODULES)/$(ZFSDIR); ./autogen.sh
281 cd $(MODULES)/$(ZFSDIR); ./configure --with-config=kernel --with-linux=$(BUILD_DIR)/$(KERNEL_SRC) --with-linux-obj=$(BUILD_DIR)/$(KERNEL_SRC)
282 $(MAKE) -C $(MODULES)/$(ZFSDIR)
283 cp $(MODULES)/$(ZFSDIR)/module/avl/zavl.ko $(MODULES)/
284 cp $(MODULES)/$(ZFSDIR)/module/nvpair/znvpair.ko $(MODULES)/
285 cp $(MODULES)/$(ZFSDIR)/module/unicode/zunicode.ko $(MODULES)/
286 cp $(MODULES)/$(ZFSDIR)/module/zcommon/zcommon.ko $(MODULES)/
287 cp $(MODULES)/$(ZFSDIR)/module/icp/icp.ko $(MODULES)/
288 cp $(MODULES)/$(ZFSDIR)/module/zfs/zfs.ko $(MODULES)/
289 cp $(MODULES)/$(ZFSDIR)/module/lua/zlua.ko $(MODULES)/
290 cp $(MODULES)/$(ZFSDIR)/module/spl/spl.ko $(MODULES)/
291 cp $(MODULES)/$(ZFSDIR)/module/zstd/zzstd.ko $(MODULES)/
292
293 fwlist-$(KVNAME): .compile_mark .modules_compile_mark
294 debian/scripts/find-firmware.pl debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME) >fwlist.tmp
295 mv fwlist.tmp $@
296
297 .PHONY: fwcheck
298 fwcheck: fwlist-$(KVNAME) fwlist-previous
299 @echo "checking fwlist for changes since last built firmware package.."
300 @echo "if this check fails, add fwlist-$(KVNAME) to the pve-firmware repository and upload a new firmware package together with the $(KVNAME) kernel"
301 sort fwlist-previous | uniq > fwlist-previous.sorted
302 sort fwlist-$(KVNAME) | uniq > fwlist-$(KVNAME).sorted
303 diff -up -N fwlist-previous.sorted fwlist-$(KVNAME).sorted > fwlist.diff
304 rm fwlist.diff fwlist-previous.sorted fwlist-$(KVNAME).sorted
305 @echo "done, no need to rebuild pve-firmware"
306
307
308 abi-$(KVNAME): .compile_mark
309 debian/scripts/abi-generate debian/$(PMX_HEADER_PKG)/usr/src/linux-headers-$(KVNAME)/Module.symvers abi-$(KVNAME) $(KVNAME)
310
311 .PHONY: abicheck
312 abicheck: debian/scripts/abi-check abi-$(KVNAME) abi-prev-* abi-blacklist
313 debian/scripts/abi-check abi-$(KVNAME) abi-prev-* $(SKIPABI)
314
315 .PHONY: clean
Linux Kernel for Proxmox projects