build: add proxmox-kernel-X.Y-pve-signed-template

the signed template together with the binary package(s) containing the unsigned
files form the input to our secure boot signing service.

the signed template consists of
- files.json (specifying which files are signed how and by which key)
- packaging template used to build the signed package(s)

the signing service
- extracts and checks the signed-template binary package
- extracts the unsigned package(s)
- signs the needed files
- packs up the signatures + the template contained in the signed-template
  package into the signed source package

the signed source package can then be built in the regular fashion (in case of
the kernel packages, it will copy the kernel image, modules and some helper
files from the unsigned package, attach the signature created by the signing
service, and re-pack the result as signed-kernel package).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/debian/control.in b/debian/control.in
index 515eaae22d3caf867fb1514646589424db77789c..24d7f12a83358a4e7856ae71243c9ef3e2e1e397 100644 (file)
--- a/debian/control.in
+++ b/debian/control.in
@@ -79,6 +79,13 @@ Description: Proxmox Kernel debug image
  to analyze kernel crashes. This package also contains the proxmox-kernel modules
  in their unstripped version.
 
+Package: proxmox-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
 Package: proxmox-kernel-libc-dev
 Section: devel
 Priority: optional

diff --git a/debian/rules b/debian/rules
index 80e1906dda353a4907547416caaeda4308720039..463aea2f3ce19163d8c41aed07a2054f82ed58ca 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -21,6 +21,8 @@ PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
 PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
 PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
 PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
 LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
 KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
 
@@ -117,6 +119,17 @@ debian/control: $(wildcard debian/*.in)
        chmod +x debian/$(PMX_HEADER_PKG).postinst
        sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
 
+       # signing-template
+       sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+       sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+       sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+       sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+       sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+       sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+       sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+       rm debian/signing-template/*.in
+       cp debian/SOURCE debian/signing-template/
+
 build: .compile_mark .tools_compile_mark .modules_compile_mark
 
 install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
@@ -195,6 +208,22 @@ endif
        cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
        rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
        rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+       # copy signing template contents
+       rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+       mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+       cp -R debian/copyright \
+               debian/signing-template/rules \
+               debian/signing-template/control \
+               debian/signing-template/source \
+               debian/signing-template/changelog \
+               debian/signing-template/prerm \
+               debian/signing-template/postrm \
+               debian/signing-template/postinst \
+               debian/signing-template/SOURCE \
+               debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+       cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
        touch $@
 
 .tools_compile_mark: .compile_mark

diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
new file mode 100644 (file)
index 0000000..46b5b7a
--- /dev/null
+++ b/debian/signing-template/control.in
@@ -0,0 +1,25 @@
+Source: proxmox-kernel-signed-@KVMAJMIN@
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: proxmox-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: proxmox-kernel-@KVNAME@
+Replaces: proxmox-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.

diff --git a/debian/signing-template/files.json.in b/debian/signing-template/files.json.in
new file mode 100644 (file)
index 0000000..0fdd61c
--- /dev/null
+++ b/debian/signing-template/files.json.in
@@ -0,0 +1,13 @@
+{
+       "packages": {
+               "proxmox-kernel-@KVNAME@": {
+                       "trusted_certs": [],
+                       "files": [
+                               {
+                                       "sig_type": "efi",
+                                       "file": "boot/vmlinuz-@KVNAME@"
+                               }
+                       ]
+               }
+       }
+}

diff --git a/debian/signing-template/rules.in b/debian/signing-template/rules.in
new file mode 100644 (file)
index 0000000..2f4ef1a
--- /dev/null
+++ b/debian/signing-template/rules.in
@@ -0,0 +1,58 @@
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+       dh_testdir
+       dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+       dh_testdir
+       mkdir -p $(PACKAGE_DIR)/boot
+       rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+       if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+               sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+                       $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+       else \
+               echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+               false; \
+       fi
+       mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+       rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+       mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+       cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+       dh_install
+       dh_installchangelogs
+       dh_installdocs -A debian/copyright debian/SOURCE
+       dh_lintian
+       dh_compress
+       dh_fixperms
+       dh_installdeb
+       # Copy most package relations and description from unsigned package
+       for field in Depends Suggests Recommends Breaks; do \
+               echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+       done
+       echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+       echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+       dh_gencontrol -- -v$(PACKAGE_VERSION)
+       dh_md5sums
+       dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format
new file mode 100644 (file)
index 0000000..89ae9db
--- /dev/null
+++ b/debian/signing-template/source/format
@@ -0,0 +1 @@
+3.0 (native)