def __init__(self, arch):
super(Gencontrol, self).__init__(
ConfigCoreDump(fp=open('debian/config.defines.dump', 'rb')),
Templates(['debian/signing_templates', 'debian/templates']))
image_binary_version = self.changelog[0].version.complete
config_entry = self.config[('version', )]
self.version = VersionLinux(config_entry['source'])
# Check config version matches changelog version
assert self.version.complete == re.sub(r'\+b\d+$', r'',
image_binary_version)
self.abiname = config_entry['abiname']
self.vars = {
'template': 'linux-image-%s-signed-template' % arch,
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
'imagebinaryversion': image_binary_version,
'imagesourceversion': self.version.complete,
'arch': arch,
}
self.package_dir = 'debian/%(template)s' % self.vars
self.template_top_dir = (
self.package_dir +
'/usr/share/code-signing/%(template)s' % self.vars)
self.template_debian_dir = (self.template_top_dir +
'/source-template/debian')
os.makedirs(self.template_debian_dir, exist_ok=True)
self.image_packages = []
def __init__(self, config, image_version, signed_version_suffix, signer=''):
super(Gencontrol, self).__init__(ConfigCoreDump(fp = open(config, "rb")), Templates(["debian/templates"]))
config_entry = self.config['version',]
self.version = VersionLinux(config_entry['source'])
# Check current linux-support version
assert self.version.complete == re.sub(r'\+b\d+$', r'', image_version)
if len(signer) == 0 or signer == 'sbsign':
self.signer_package = 'sbsigntool'
else:
self.signer_package = signer
self.abiname = config_entry['abiname']
self.binary_version = image_version + signed_version_suffix
self.vars = {
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
'imageversion': image_version,
'imagesourceversion': self.version.complete,
'binaryversion': self.binary_version,
'signer_package': self.signer_package,
}
def __init__(self, config):
super(Gencontrol, self).__init__(ConfigCoreDump(fp=open(config, "rb")),
Templates(["debian/templates"]))
config_entry = self.config['version', ]
self.version = VersionLinux(config_entry['source'])
self.abiname = config_entry['abiname']
self.vars = {
'upstreamversion':
self.version.linux_upstream,
'version':
self.version.linux_version,
'source_package':
self.changelog[0].source,
'source_suffix':
re.sub(r'^linux-latest', r'', self.changelog[0].source),
'source_upstream':
self.version.upstream,
'abiname':
self.abiname,
}
changelog_version = Changelog()[0].version
self.package_version = '%s+%s' % (self.version.linux_version,
changelog_version.complete)
def __init__(self, config):
super(Gencontrol, self).__init__(ConfigCoreDump(fp=file(config)),
Templates(["debian/templates"]))
config_entry = self.config['version', ]
self.version = VersionLinux(config_entry['source'])
self.abiname = config_entry['abiname']
self.vars = {
'upstreamversion': self.version.linux_upstream,
'version': self.version.linux_version,
'source_upstream': self.version.upstream,
'abiname': self.abiname,
}
changelog_version = Changelog()[0].version
self.package_version = u'%s+%s' % (self.version.linux_version,
changelog_version.complete)
def __init__(self, input_files, override_version):
self.log = sys.stdout.write
self.input_files = input_files
changelog = Changelog(version=VersionLinux)[0]
source = changelog.source
version = changelog.version
if override_version:
version = VersionLinux('%s-0' % override_version)
self.version_dfsg = version.linux_dfsg
if self.version_dfsg is None:
self.version_dfsg = '0'
self.log('Using source name %s, version %s, dfsg %s\n' % (source, version.upstream, self.version_dfsg))
self.orig = '%s-%s' % (source, version.upstream)
self.orig_tar = '%s_%s.orig.tar.xz' % (source, version.upstream)
self.tag = 'v' + version.linux_upstream_full
def __init__(self, input_tar, input_patch, override_version):
self.log = sys.stdout.write
self.input_tar = input_tar
self.input_patch = input_patch
changelog = Changelog(version=VersionLinux)[0]
source = changelog.source
version = changelog.version
if override_version:
version = VersionLinux('%s-undef' % override_version)
self.version_dfsg = version.linux_dfsg
if self.version_dfsg is None:
self.version_dfsg = '0'
self.log('Using source name %s, version %s, dfsg %s\n' %
(source, version.upstream, self.version_dfsg))
self.orig = '%s-%s' % (source, version.upstream)
self.orig_tar = '%s_%s.orig.tar.gz' % (source, version.upstream)
def __init__(self, input_files, override_version):
self.log = sys.stdout.write
self.input_files = input_files
changelog = Changelog(version=VersionLinux)[0]
source = changelog.source
version = changelog.version
if override_version:
version = VersionLinux('%s-undef' % override_version)
self.version_dfsg = version.linux_dfsg
if self.version_dfsg is None:
self.version_dfsg = '0'
self.log('Using source name %s, version %s, dfsg %s\n' %
(source, version.upstream, self.version_dfsg))
self.orig = '%s-%s' % (source, version.upstream)
self.orig_tar = '%s_%s.orig.tar.xz' % (source, version.upstream)
self.tag = 'v' + re.sub(r"^(\d+\.\d+)\.0", r"\1",
version.upstream.replace('~', '-'))
def sign(config_name,
imageversion_str,
modules_privkey_name,
modules_cert_name,
image_privkey_name,
image_cert_name,
mirror_url,
suite,
signer='sbsign',
nss_dir=None,
nss_token="",
pin=""):
config = ConfigCoreDump(fp=open(config_name, 'rb'))
# Check current linux-support version
assert config['version', ]['source'] == re.sub(r'\+b\d+$', r'',
imageversion_str)
abiname = config['version', ]['abiname']
imageversion = VersionLinux(imageversion_str)
kbuild_dir = '/usr/lib/linux-kbuild-%s' % imageversion.linux_version
signature_dir = 'debian/signatures'
if os.path.isdir(signature_dir):
shutil.rmtree(signature_dir)
if signer == "sbsign":
pin = None
if pin == "" and nss_dir is not None and nss_token != "" and signer == "pesign":
pin = getpass.getpass('Hardware token PIN:')
for arch in iter(config['base', ]['arches']):
for featureset in config['base', arch].get('featuresets', ()):
if not config.merge('base', None, featureset).get('enabled', True):
continue
for flavour in config['base', arch, featureset]['flavours']:
if not (config.merge('build', arch, featureset, flavour).get(
'signed-modules', False)):
continue
kernelversion = '%s%s-%s' % \
(abiname,
'' if featureset == 'none' else '-' + featureset,
flavour)
package_name = 'linux-image-%s-unsigned' % kernelversion
try:
package_dir = get_package(mirror_url, suite, package_name,
imageversion_str, arch)
except MissingPackageError:
package_dir = get_package(
'http://incoming.debian.org/debian-buildd/',
'buildd-' + suite, package_name, imageversion_str,
arch)
# Shrink the heap before we start forking children
gc.collect()
signature_dir = os.path.join('debian/signatures', package_name)
os.makedirs(signature_dir)
if modules_privkey_name is not None and len(
modules_privkey_name) > 0:
sign_modules(
kbuild_dir,
'%s/lib/modules/%s' % (package_dir, kernelversion),
'%s/lib/modules/%s' % (signature_dir, kernelversion),
modules_privkey_name, modules_cert_name, pin)
# Currently we can only sign kernel images built with an
# EFI stub, which has space for an embedded signature.
with open(os.path.join(package_dir,
'boot/config-%s' % kernelversion)) \
as kconfig_file:
kconfig = kconfig_file.readlines()
if ('CONFIG_EFI_STUB=y\n' in kconfig and
('CONFIG_EFI_SECURE_BOOT_SECURELEVEL=y\n' in kconfig
or 'CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y\n' in kconfig
or 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig)):
if signer == 'sbsign':
sign_image_efi(
'%s/boot/vmlinuz-%s' %
(package_dir, kernelversion),
'%s/boot/vmlinuz-%s.sig' %
(signature_dir, kernelversion), image_privkey_name,
image_cert_name)
elif signer == 'pesign':
sign_image_efi_pesign(
'%s/boot/vmlinuz-%s' %
(package_dir, kernelversion),
'%s/boot/vmlinuz-%s.sig' %
(signature_dir, kernelversion), nss_dir,
image_cert_name, nss_token, pin)
else:
raise Exception('unknown signer')
print(
'Signatures should be committed: git add debian/signatures && git commit'
)