def __init__(self, dir, arch, featureset, flavour):
self.arch, self.featureset, self.flavour = arch, featureset, flavour
self.config = ConfigCoreDump(fp = file("debian/config.defines.dump"))
self.filename_new = "%s/Module.symvers" % dir
changelog = Changelog(version = VersionLinux)[0]
version = changelog.version.linux_version
abiname = self.config['abi',]['abiname']
self.filename_ref = "debian/abi/%s-%s/%s_%s_%s" % (version, abiname, arch, featureset, flavour)
def __init__(self, arch):
super(Gencontrol, self).__init__(
ConfigCoreDump(fp=open('debian/config.defines.dump', 'rb')),
Templates(['debian/signing_templates', 'debian/templates']))
image_binary_version = self.changelog[0].version.complete
config_entry = self.config[('version', )]
self.version = VersionLinux(config_entry['source'])
# Check config version matches changelog version
assert self.version.complete == re.sub(r'\+b\d+$', r'',
image_binary_version)
self.abiname = config_entry['abiname']
self.vars = {
'template': 'linux-image-%s-signed-template' % arch,
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
'imagebinaryversion': image_binary_version,
'imagesourceversion': self.version.complete,
'arch': arch,
}
self.package_dir = 'debian/%(template)s' % self.vars
self.template_top_dir = (
self.package_dir +
'/usr/share/code-signing/%(template)s' % self.vars)
self.template_debian_dir = (self.template_top_dir +
'/source-template/debian')
os.makedirs(self.template_debian_dir, exist_ok=True)
self.image_packages = []
def __init__(self, config, image_version, signed_version_suffix, signer=''):
super(Gencontrol, self).__init__(ConfigCoreDump(fp = open(config, "rb")), Templates(["debian/templates"]))
config_entry = self.config['version',]
self.version = VersionLinux(config_entry['source'])
# Check current linux-support version
assert self.version.complete == re.sub(r'\+b\d+$', r'', image_version)
if len(signer) == 0 or signer == 'sbsign':
self.signer_package = 'sbsigntool'
else:
self.signer_package = signer
self.abiname = config_entry['abiname']
self.binary_version = image_version + signed_version_suffix
self.vars = {
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
'imageversion': image_version,
'imagesourceversion': self.version.complete,
'binaryversion': self.binary_version,
'signer_package': self.signer_package,
}
def __init__(self,
url,
url_config=None,
arch=None,
featureset=None,
flavour=None):
self.log = sys.stdout.write
self.url = self.url_config = url
if url_config is not None:
self.url_config = url_config
self.override_arch = arch
self.override_featureset = featureset
self.override_flavour = flavour
changelog = Changelog(version=VersionLinux)
while changelog[0].distribution == 'UNRELEASED':
changelog.pop(0)
changelog = changelog[0]
self.source = changelog.source
self.version = changelog.version.linux_version
self.version_source = changelog.version.complete
self.config = ConfigCoreDump(
fp=open("debian/config.defines.dump", "rb"))
self.version_abi = self.config['version', ]['abiname']
def __init__(self, config):
super(Gencontrol, self).__init__(ConfigCoreDump(fp=open(config, "rb")),
Templates(["debian/templates"]))
config_entry = self.config['version', ]
self.version = VersionLinux(config_entry['source'])
self.abiname = config_entry['abiname']
self.vars = {
'upstreamversion':
self.version.linux_upstream,
'version':
self.version.linux_version,
'source_package':
self.changelog[0].source,
'source_suffix':
re.sub(r'^linux-latest', r'', self.changelog[0].source),
'source_upstream':
self.version.upstream,
'abiname':
self.abiname,
}
changelog_version = Changelog()[0].version
self.package_version = '%s+%s' % (self.version.linux_version,
changelog_version.complete)
def __init__(self, arch=None, featureset=None, flavour=None):
self.log = sys.stdout.write
self.override_arch = arch
self.override_featureset = featureset
self.override_flavour = flavour
changelog = Changelog(version=VersionLinux)
while changelog[0].distribution == 'UNRELEASED':
changelog.pop(0)
changelog = changelog[0]
self.source = changelog.source
self.version = changelog.version.linux_version
self.version_source = changelog.version.complete
if changelog.distribution.endswith('-security'):
self.urls = [url_base_security]
else:
self.urls = [
url_base, url_base_ports, url_base_incoming,
url_base_ports_incoming
]
self.config = ConfigCoreDump(
fp=open("debian/config.defines.dump", "rb"))
self.version_abi = self.config['version', ]['abiname']
def __init__(self, config):
super(Gencontrol, self).__init__(ConfigCoreDump(fp=file(config)),
Templates(["debian/templates"]))
config_entry = self.config['version', ]
self.version = VersionLinux(config_entry['source'])
self.abiname = config_entry['abiname']
self.vars = {
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
}
changelog_version = Changelog()[0].version
self.package_version = u'%s+%s' % (self.version.linux_version,
changelog_version.complete)
def __init__(self, dir, arch, featureset, flavour):
self.args = dir, arch, featureset, flavour
self.config = ConfigCoreDump(fp=file("debian/config.defines.dump"))
#!/usr/bin/python3
import sys
from debian_linux.config import ConfigCoreDump
section = tuple(s or None for s in sys.argv[1:-1])
key = sys.argv[-1]
config = ConfigCoreDump(fp=open("debian/config.defines.dump", "rb"))
try:
value = config[section][key]
except KeyError:
sys.exit(1)
if isinstance(value, str):
# Don't iterate over it
print(value)
else:
# In case it's a sequence, try printing each item
try:
for item in value:
print(item)
except TypeError:
# Otherwise use the default format
print(value)
class checker(object):
def __init__(self, dir, arch, featureset, flavour):
self.arch, self.featureset, self.flavour = arch, featureset, flavour
self.config = ConfigCoreDump(fp = file("debian/config.defines.dump"))
self.filename_new = "%s/Module.symvers" % dir
changelog = Changelog(version = VersionLinux)[0]
version = changelog.version.linux_version
abiname = self.config['abi',]['abiname']
self.filename_ref = "debian/abi/%s-%s/%s_%s_%s" % (version, abiname, arch, featureset, flavour)
def __call__(self, out):
ret = 0
new = symbols(self.filename_new)
try:
ref = symbols(self.filename_ref)
except IOError:
out.write("Can't read ABI reference. ABI not checked! Continuing.\n")
return 0
add_info, change_info, remove_info = ref.cmp(new)
add = set(add_info.keys())
change = set(change_info.keys())
remove = set(remove_info.keys())
ignore = self._ignore(add_info, change_info, remove_info)
add_effective = add - ignore
change_effective = change - ignore
remove_effective = remove - ignore
if change_effective or remove_effective:
out.write("ABI has changed! Refusing to continue.\n")
ret = 1
elif change or remove:
out.write("ABI has changed but all changes have been ignored. Continuing.\n")
elif add_effective:
out.write("New symbols have been added. Continuing.\n")
elif add:
out.write("New symbols have been added but have been ignored. Continuing.\n")
else:
out.write("No ABI changes.\n")
if add:
out.write("\nAdded symbols:\n")
t = list(add)
t.sort()
for symbol in t:
info = []
if symbol in ignore:
info.append("ignored")
for i in ('module', 'version', 'export'):
info.append("%s: %s" % (i, add_info[symbol][i]))
out.write("%-48s %s\n" % (symbol, ", ".join(info)))
if change:
out.write("\nChanged symbols:\n")
t = list(change)
t.sort()
for symbol in t:
info = []
if symbol in ignore:
info.append("ignored")
s = change_info[symbol]
changes = s['changes']
for i in ('module', 'version', 'export'):
if changes.has_key(i):
info.append("%s: %s -> %s" % (i, s['ref'][i], s['new'][i]))
else:
info.append("%s: %s" % (i, new[symbol][i]))
out.write("%-48s %s\n" % (symbol, ", ".join(info)))
if remove:
out.write("\nRemoved symbols:\n")
t = list(remove)
t.sort()
for symbol in t:
info = []
if symbol in ignore:
info.append("ignored")
for i in ('module', 'version', 'export'):
info.append("%s: %s" % (i, remove_info[symbol][i]))
out.write("%-48s %s\n" % (symbol, ", ".join(info)))
return ret
def _ignore(self, add, change, remove):
all = set(add.keys() + change.keys() + remove.keys())
# TODO: let config merge this lists
configs = []
configs.append(self.config.get(('abi', self.arch, self.featureset, self.flavour), {}))
configs.append(self.config.get(('abi', self.arch, None, self.flavour), {}))
configs.append(self.config.get(('abi', self.arch, self.featureset), {}))
configs.append(self.config.get(('abi', self.arch), {}))
configs.append(self.config.get(('abi',), {}))
ignores = set()
for config in configs:
ignores.update(config.get('ignore-changes', []))
filtered = set()
for m in ignores:
filtered.update(fnmatch.filter(all, m))
return filtered
def sign(config_name,
imageversion_str,
modules_privkey_name,
modules_cert_name,
image_privkey_name,
image_cert_name,
mirror_url,
suite,
signer='sbsign',
nss_dir=None,
nss_token="",
pin=""):
config = ConfigCoreDump(fp=open(config_name, 'rb'))
# Check current linux-support version
assert config['version', ]['source'] == re.sub(r'\+b\d+$', r'',
imageversion_str)
abiname = config['version', ]['abiname']
imageversion = VersionLinux(imageversion_str)
kbuild_dir = '/usr/lib/linux-kbuild-%s' % imageversion.linux_version
signature_dir = 'debian/signatures'
if os.path.isdir(signature_dir):
shutil.rmtree(signature_dir)
if signer == "sbsign":
pin = None
if pin == "" and nss_dir is not None and nss_token != "" and signer == "pesign":
pin = getpass.getpass('Hardware token PIN:')
for arch in iter(config['base', ]['arches']):
for featureset in config['base', arch].get('featuresets', ()):
if not config.merge('base', None, featureset).get('enabled', True):
continue
for flavour in config['base', arch, featureset]['flavours']:
if not (config.merge('build', arch, featureset, flavour).get(
'signed-modules', False)):
continue
kernelversion = '%s%s-%s' % \
(abiname,
'' if featureset == 'none' else '-' + featureset,
flavour)
package_name = 'linux-image-%s-unsigned' % kernelversion
try:
package_dir = get_package(mirror_url, suite, package_name,
imageversion_str, arch)
except MissingPackageError:
package_dir = get_package(
'http://incoming.debian.org/debian-buildd/',
'buildd-' + suite, package_name, imageversion_str,
arch)
# Shrink the heap before we start forking children
gc.collect()
signature_dir = os.path.join('debian/signatures', package_name)
os.makedirs(signature_dir)
if modules_privkey_name is not None and len(
modules_privkey_name) > 0:
sign_modules(
kbuild_dir,
'%s/lib/modules/%s' % (package_dir, kernelversion),
'%s/lib/modules/%s' % (signature_dir, kernelversion),
modules_privkey_name, modules_cert_name, pin)
# Currently we can only sign kernel images built with an
# EFI stub, which has space for an embedded signature.
with open(os.path.join(package_dir,
'boot/config-%s' % kernelversion)) \
as kconfig_file:
kconfig = kconfig_file.readlines()
if ('CONFIG_EFI_STUB=y\n' in kconfig and
('CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y\n' in kconfig
or 'CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y\n' in kconfig
or 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig)):
if signer == 'sbsign':
sign_image_efi(
'%s/boot/vmlinuz-%s' %
(package_dir, kernelversion),
'%s/boot/vmlinuz-%s.sig' %
(signature_dir, kernelversion), image_privkey_name,
image_cert_name)
elif signer == 'pesign':
sign_image_efi_pesign(
'%s/boot/vmlinuz-%s' %
(package_dir, kernelversion),
'%s/boot/vmlinuz-%s.sig' %
(signature_dir, kernelversion), nss_dir,
image_cert_name, nss_token, pin)
else:
raise Exception('unknown signer')
print(
'Signatures should be committed: git add debian/signatures && git commit'
)