c/pve-kernel-lowlatency-qoup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: c:master
Branches Tags
c:master
c:pve-kernel-5.15
c:bookworm-6.5
c:bullseye-6.2
c:bookworm-6.2
c:wip-secureboot
c:pve-kernel-5.19
c:pve-kernel-5.4
c:pve-kernel-5.13
c:pve-kernel-5.11
c:buster-pve-kernel-5.11
c:pve-kernel-4.15
c:pve-kernel-5.3
c:pve-kernel-5.0
c:pve-kernel-4.13
c:pve-kernel-4.10
...
pull from: c:wip-secureboot
Branches Tags
c:master
c:pve-kernel-5.15
c:bookworm-6.5
c:bullseye-6.2
c:bookworm-6.2
c:wip-secureboot
c:pve-kernel-5.19
c:pve-kernel-5.4
c:pve-kernel-5.13
c:pve-kernel-5.11
c:buster-pve-kernel-5.11
c:pve-kernel-4.15
c:pve-kernel-5.3
c:pve-kernel-5.0
c:pve-kernel-4.13
c:pve-kernel-4.10

4 Commits
master ... wip-secure

Author SHA1 Message Date
Fabian Grünbichler
78a1b94540 WIP: bump version 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-05 10:17:06 +02:00
Fabian Grünbichler
14107dc511 build: add pve-kernel-X.Y-pve-signed-template 
the signed template together with the binary package(s) containing the unsigned
files form the input to our secure boot signing service.

the signed template consists of
- files.json (specifying which files are signed how and by which key)
- packaging template used to build the signed package(s)

the signing service
- extracts and checks the signed-template binary package
- extracts the unsigned package(s)
- signs the needed files
- packs up the signatures + the template contained in the signed-template
  package into the signed source package

the signed source package can then be built in the regular fashion (in case of
the kernel packages, it will copy the kernel image, modules and some helper
files from the unsigned package, attach the signature created by the signing
service, and re-pack the result as signed-kernel package).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-05 10:16:11 +02:00
Fabian Grünbichler
e7d49e787a add Proxmox UEFI certificates 
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-04-05 10:15:43 +02:00
Fabian Grünbichler
360ed44476 build: sign modules and set trust anchor/lockdown 
this is required for secure boot support.

at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
 2023-03-17 12:00:11 +01:00
10 changed files with 237 additions and 7 deletions
Show Stats Expand all files Collapse all files

4
Makefile
View File

@ -4,9 +4,9 @@ KERNEL_MIN=2
KERNEL_PATCHLEVEL=6 KERNEL_PATCHLEVEL=6
# increment KREL if the ABI changes (abicheck target in debian/rules) # increment KREL if the ABI changes (abicheck target in debian/rules)
# rebuild packages with new KREL and run 'make abiupdate' # rebuild packages with new KREL and run 'make abiupdate'
KREL=1 KREL=2
PKGREL=1 PKGREL=2~secureboot1
KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN) KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL) KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)

37
debian/certs/proxmox-uefi-ca.pem vendored Normal file
View File

@ -0,0 +1,37 @@
-----BEGIN CERTIFICATE-----
MIIGbjCCBFagAwIBAgIUTVo8veNlt0qzt14J+H2mhEB2SNUwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
eG1veC5jb20wHhcNMjMwMzA2MTM1MTM0WhcNMzMwMzAzMTM1MTM0WjCBkzELMAkG
A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEXMBUGA1UEAwwOU2Vj
dXJlIEJvb3QgQ0ExITAfBgkqhkiG9w0BCQEWEm9mZmljZUBwcm94bW94LmNvbTCC
AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ59mP8gRLqsA6P53ejy0wMk
0qLlICtDkPXsJoi4QRHjlPErxXv5zsZ4WqSG2bQ8EW95FAf8EOF6ge+G17neYt1w
DmlvHzLBfqTJj5EBRgVjdWOjX3AkS/elOyzHdq4rKOteUSpQlMP4ub2cAUdy/8rp
ouTbduttNv8mymAO89/kbXCEmKFiRS+av+hykFFyXH/KTRa2QnvLVadMEkmtA+vm
+yQhYWCTD8hdisa1o3dKM0Z2l8LyzfIOsVXcwHHB7AhtR4tbLR9Tz2p/m9Gz//vj
82dBaChh6kxIMZ8kACP28dA561R2P6ZcjzLSJ0Tq5e4tiW9SNEzuTYKTRvFeQoQh
4usDdSF3ifXDuimShpv8Yaf4fntyIaUfnm6H5tvNr9b9Rw6ZL200LV5VugQ1EpfE
F0+c3LQfurwT7svISgXSY62Fe/TiHFANOVXM5j3/Dr2ktKyce7BUGN4ewpWPvP99
io+rdd4bTReuDh8j0nhsSdYKfvuOmvQpgL8Smzno54/hdpuO6cv+slCr1ApDexl8
gAPPwCZRsH7aPc92g+YPzDm3k77RqkCXPA19KKQLYKvL7a+H3rnqgO81CdGFPHOz
I5UruKLLeDGAWR0bo0JqDMEL8/oPh9IvGo8lFcTros0NEof6A7p8SGmxM2NodTo9
spDVs84xDPlp4yX4u8A9AgMBAAGjgbcwgbQwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAYYwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHQYDVR0OBBYEFLXxsR5I
LbWGkynLl1qjUgX4cs16MB8GA1UdIwQYMBaAFLXxsR5ILbWGkynLl1qjUgX4cs16
MB0GA1UdEQQWMBSBEm9mZmljZUBwcm94bW94LmNvbTAdBgNVHRIEFjAUgRJvZmZp
Y2VAcHJveG1veC5jb20wDQYJKoZIhvcNAQELBQADggIBAAUGWTt792ibVtE9yKgq
9YtmybKGWjDHdMKl5AcnxLD60z7cEgcUBpEXaUbTzic5rz7fYhUM29LZkF8NIA2a
rzrF0w+J1zZZKG2VvTWmdgynNNKQ/iTRbhgSZ94hEWOwumlEW4O6HwUN+VYFx8wf
jvyWc1K6cdCc70IeC5POjYTlXKPoDq8ysPMLhxm7dsk7DDWcR0siMbYqGLLK5cJB
lZE+9Q3Nj/q4m3odjK1ILrDGKqWWJgxopE21e903Ej+TNw+TduXygHqwVloEXUi4
clmMMwCfhEBI9Vuy0+QSLxvrHKbwYpWd59RBQEsUubi8sT8Oh7njgmEd/Pf9uD7U
1Rd9I+1MkNOZXyoyvaJQl9NZ9RpyG+ZbeQoFcL2CeCy0jJQQSilI5k4RtiDrGn6R
GxlRL/FTvGWBkQGNwvoeFwD6i7zYainf1Z7f1Dh83MxKarxpAwX61K+rHpvAvjN/
Hd4dslj5C+p188FnGaqiFlFAgVcF//F+yZFGYu1sTIQJ5f0C3LiFLeQYi3SPTf0L
wk78eHgo6x1cIOM3/Ct4mflHBxnrfOJ9YdEAn2MklpDT5dif+9+zpN1myCQn4HoW
OgoWIacSuvuFczHTQf2IX4ZEEE5SZwE31f7E0cqjgXmwbz1a81UMZHzvr71rDeWi
oRgE3Pe1htzpOmw5Ygvjtn8k
-----END CERTIFICATE-----

37
debian/certs/proxmox-uefi-signer-2023.pem vendored Normal file
View File

@ -0,0 +1,37 @@
-----BEGIN CERTIFICATE-----
MIIGbzCCBFegAwIBAgIUakjebPHbd0vTEj9dEa3OF+gioGMwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIDAZWaWVubmExDzANBgNVBAcMBlZp
ZW5uYTEmMCQGA1UECgwdUHJveG1veCBTZXJ2ZXIgU29sdXRpb25zIEdtYkgxFzAV
BgNVBAMMDlNlY3VyZSBCb290IENBMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJv
eG1veC5jb20wHhcNMjMwMzA2MTQwNTI1WhcNMjcwNDE0MTQwNTI1WjCBmjELMAkG
A1UEBhMCQVQxDzANBgNVBAgMBlZpZW5uYTEPMA0GA1UEBwwGVmllbm5hMSYwJAYD
VQQKDB1Qcm94bW94IFNlcnZlciBTb2x1dGlvbnMgR21iSDEeMBwGA1UEAwwVU2Vj
dXJlIEJvb3QgU2lnbiAyMDIzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAcHJveG1v
eC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJGReH5i3aihb/
frdbzzNueHBt7DC9W2/GXYf0wfl8izCXz2SYM/UIZavbpzF2uhgxli3Dj4M0FyR2
oTKRseWyy+YMiwuhQcqCw0KRS6uOUiGjOtPHsEqDFO6DP8d1gNjYkF0jzY/CNf0N
5Sc+w8jknQJgZ9G1RGcC2ihZATx2pgG9nYA30Op8qHyhcF2KrUmh8wpXky21u0Ja
0/whsNFNSfQrvosgUroxLd2TvBdcBJu3SXt0B15jfY4Qssjmwgfs/oU8YGaAYnIp
PLJRqzho/kpDA3PH2lsgxv5BJHQgDuODLj3Q3dx09C71Qdb3FlQ6z9hIdFUoPrvC
kUpZ5lEwGUyvFZtJJQvGm/1BpDj1G7P8lqODyfkJ4c77XoH7M9z945HmxrfAyjP7
9Jk8NXA9bSy+ygPHPHlTLEc10HKvk/SRg/sGGUveTr9C6rObfP8EmvXogpS46xSn
W9s2vFSVFyOBvLpdIhU91McBFinvQaqY0r2XTNrsU3Zp5YG3z6hh6BOLCpD/pixc
BQyfT8wGeI59dobVSSrWqt+1vNxO02I5t7Mlam687Ix1e3C/nk7+i44WMcmB8n+x
Dq/v/L+UJlQ75u2dsaAiYUrGcsHQWAZ34oIAfec9qCgG+OLTwobwXXiOlaWiO51n
0xCQ4ePK+vZuDxRHaXL7hOxFCe3iKwIDAQABo4GxMIGuMB0GA1UdDgQWBBRr/2t+
Hu0KTVTbNhd31p7aJH15IjAfBgNVHSMEGDAWgBS18bEeSC21hpMpy5dao1IF+HLN
ejAdBgNVHREEFjAUgRJvZmZpY2VAcHJveG1veC5jb20wHQYDVR0SBBYwFIESb2Zm
aWNlQHByb3htb3guY29tMAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH
AwMwCwYDVR0PBAQDAgbAMA0GCSqGSIb3DQEBCwUAA4ICAQBYmLgWPJSK/pP/CkZE
iYttW1Vd0Wm4DeZVSyUh2c9AI+A+IT5otEXjCflU8sYU4vm0eEtNwhmGdVf8oZe4
tS/2eFawDAqEQ8xMsinbMJoqvcYx9uEZPiOOo3GS2YjfUy03Q3BAOV3rMFOjP4y+
dfYF3IWnKQxvUV0wapRyDbT62plKt4UCtBagUPcm838YRD6ax+4yK/5sojMQM1IW
2yGgEz8jeCyPI19Ots2RBZTJU2BZ1QqRPLybvLfsENtKgKqOE14BEp6WqtYBaj89
QZD4tbP9Mqcmnj8AfG89pb1Fj6tq0MLZsboF6i0J7uuQ6CKkb5ksQhLODLMwAZi1
1EAgWk5btwj6ZvoOHFOjAXGJ13tmUeYt/Zipyy/ie+5LSEdFevQ+zmZzsglfX3QK
6skoBpHs3kLcuPsoe8uhCvn/b22lHkFdYYkIwIUQFPJgdvBzD8LYHnD8P60UdsQO
vSSt9qzsq04DCEjwhmNJUeddL9ESGNL8vgpB9GvNjFEq6QMncELkdXDoAeqGFolE
/dj+8sVq+34plRsvD1GDDx70UWk0ZtQlvhqDJ0kxeT+yYASrwLoujK44SLq8cMJr
JYxDoxFOy5MSw+EzEXTP9LLkYNdPv/nzPbEz3lEctczyOgBWr22272Kdv3QCHBdP
v4+vFbHnrXmu8cC9T45r2aX3rQ==
-----END CERTIFICATE-----

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
pve-kernel (6.2.6-2~secureboot1) bullseye; urgency=medium
* test build with lockdown, trusted key and module signing
-- Proxmox Support Team <support@proxmox.com> Thu, 16 Mar 2023 14:56:01 +0100
pve-kernel (6.2.6-1) bullseye; urgency=medium pve-kernel (6.2.6-1) bullseye; urgency=medium
* update to Ubuntu-6.2.0-17.17 based on 6.2.6 * update to Ubuntu-6.2.0-17.17 based on 6.2.6

7
debian/control.in vendored
View File

@ -80,6 +80,13 @@ Description: Proxmox Kernel debug image
to analyze kernel crashes. This package also contains the pve-kernel modules to analyze kernel crashes. This package also contains the pve-kernel modules
in their unstripped version. in their unstripped version.
Package: pve-kernel-@KVNAME@-signed-template
Architecture: amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
Description: Template for signed kernel package
This package is used to control code signing by the Proxmox signing
service.
Package: pve-kernel-libc-dev Package: pve-kernel-libc-dev
Section: devel Section: devel
Priority: optional Priority: optional

56
debian/rules vendored
View File

@ -18,6 +18,8 @@ PVE_KERNEL_PKG=pve-kernel-${KVNAME}
PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym PVE_DEBUG_KERNEL_PKG=pve-kernel-${KVNAME}-dbgsym
PVE_HEADER_PKG=pve-headers-${KVNAME} PVE_HEADER_PKG=pve-headers-${KVNAME}
PVE_USR_HEADER_PKG=pve-kernel-libc-dev PVE_USR_HEADER_PKG=pve-kernel-libc-dev
PVE_KERNEL_SIGNING_TEMPLATE_PKG=pve-kernel-${KVNAME}-signed-template
PVE_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN} LINUX_TOOLS_PKG=linux-tools-${KERNEL_MAJMIN}
KERNEL_SRC_COPY=${KERNEL_SRC}_tmp KERNEL_SRC_COPY=${KERNEL_SRC}_tmp
@ -51,7 +53,13 @@ PVE_CONFIG_OPTS= \
-e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \ -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
-e CONFIG_SYSFB_SIMPLEFB \ -e CONFIG_SYSFB_SIMPLEFB \
-e CONFIG_DRM_SIMPLEDRM \ -e CONFIG_DRM_SIMPLEDRM \
-d CONFIG_MODULE_SIG \ -e CONFIG_MODULE_SIG \
-e CONFIG_MODULE_SIG_ALL \
-e CONFIG_MODULE_SIG_FORMAT \
--set-str CONFIG_MODULE_SIG_HASH sha512 \
--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
-e CONFIG_MODULE_SIG_SHA512 \
-d CONFIG_MEMCG_DISABLED \ -d CONFIG_MEMCG_DISABLED \
-e CONFIG_MEMCG_SWAP_ENABLED \ -e CONFIG_MEMCG_SWAP_ENABLED \
-e CONFIG_HYPERV \ -e CONFIG_HYPERV \
@ -82,11 +90,11 @@ PVE_CONFIG_OPTS= \
-d CONFIG_UNWINDER_ORC \ -d CONFIG_UNWINDER_ORC \
-d CONFIG_UNWINDER_GUESS \ -d CONFIG_UNWINDER_GUESS \
-e CONFIG_UNWINDER_FRAME_POINTER \ -e CONFIG_UNWINDER_FRAME_POINTER \
--set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\ --set-str CONFIG_SYSTEM_TRUSTED_KEYS "../debian/certs/combined.pem"\
--set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\ --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
-d CONFIG_SECURITY_LOCKDOWN_LSM \ -e CONFIG_SECURITY_LOCKDOWN_LSM \
-d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \ -e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
--set-str CONFIG_LSM yama,integrity,apparmor \ --set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
-e CONFIG_PAGE_TABLE_ISOLATION -e CONFIG_PAGE_TABLE_ISOLATION
debian/control: $(wildcard debian/*.in) debian/control: $(wildcard debian/*.in)
@ -100,6 +108,20 @@ debian/control: $(wildcard debian/*.in)
chmod +x debian/${PVE_HEADER_PKG}.postinst chmod +x debian/${PVE_HEADER_PKG}.postinst
sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/${KERNEL_MAJMIN}/g' < debian/control.in > debian/control
# combine trusted certificates
cat debian/certs/*.pem > debian/certs/combined.pem
# signing-template
sed -e '1 s/pve-kernel/pve-kernel-signed/' -e '1 s/${DEB_VERSION}/${PVE_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.prerm.in > debian/signing-template/prerm
sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postrm.in > debian/signing-template/postrm
sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/pve-kernel.postinst.in > debian/signing-template/postinst
rm debian/signing-template/*.in
cp debian/SOURCE debian/signing-template/
build: .compile_mark .tools_compile_mark .modules_compile_mark build: .compile_mark .tools_compile_mark .modules_compile_mark
install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
@ -161,6 +183,14 @@ endif
# strip debug info # strip debug info
find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
# sign modules using ephemeral, embedded key
if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
find debian/${PVE_KERNEL_PKG}/lib/modules -name \*.ko -print | while read f ; do \
./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
done; \
rm ./ubuntu-kernel/certs/signing_key.pem ; \
fi
# finalize # finalize
/sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME} /sbin/depmod -b debian/${PVE_KERNEL_PKG}/ ${KVNAME}
# Autogenerate blacklist for watchdog devices (see README) # Autogenerate blacklist for watchdog devices (see README)
@ -170,6 +200,22 @@ endif
cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/${PVE_KERNEL_PKG}/lib/modprobe.d/blacklist_${PVE_KERNEL_PKG}.conf
rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/source
rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build rm -f debian/${PVE_KERNEL_PKG}/lib/modules/${KVNAME}/build
# copy signing template contents
rm -rf debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}
mkdir -p debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
cp -R debian/copyright \
debian/signing-template/rules \
debian/signing-template/control \
debian/signing-template/source \
debian/signing-template/changelog \
debian/signing-template/prerm \
debian/signing-template/postrm \
debian/signing-template/postinst \
debian/signing-template/SOURCE \
debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
cp debian/signing-template/files.json debian/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PVE_KERNEL_SIGNING_TEMPLATE_PKG}/
touch $@ touch $@
.tools_compile_mark: .compile_mark .tools_compile_mark: .compile_mark

25
debian/signing-template/control.in vendored Normal file
View File

@ -0,0 +1,25 @@
Source: pve-kernel-signed
Section: kernel
Priority: optional
Maintainer: Proxmox Support Team <support@proxmox.com>
Standards-Version: 4.2.0
Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, pve-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
Rules-Requires-Root: no
Vcs-Git: git://git.proxmox.com/git/pve-kernel
Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
Package: pve-kernel-@KVNAME@-signed
Section: admin
Priority: optional
Architecture: any
Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
Depends: ${unsigned:Depends}, ${misc:Depends}
Recommends: ${unsigned:Recommends}
Suggests: ${unsigned:Suggests}
Breaks: ${unsigned:Breaks}
Conflicts: pve-kernel-@KVNAME@
Replaces: pve-kernel-@KVNAME@
Description: ${unsigned:DescriptionShort} (signed)
${unsigned:DescriptionLong}
.
This package contains the kernel image signed by the Proxmox Secure Boot CA.

13
debian/signing-template/files.json.in vendored Normal file
View File

@ -0,0 +1,13 @@
{
"packages": {
"pve-kernel-@KVNAME@": {
"trusted_certs": [],
"files": [
{
"sig_type": "efi",
"file": "boot/vmlinuz-@KVNAME@"
}
]
}
}
}

58
debian/signing-template/rules.in vendored Normal file
View File

@ -0,0 +1,58 @@
#!/usr/bin/make -f
SHELL := bash -e
export DH_OPTIONS
include /usr/share/dpkg/architecture.mk
KERNEL_VERSION=@KVNAME@
IMAGE_PACKAGE_NAME=pve-kernel-$(KERNEL_VERSION)
PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
PACKAGE_VERSION=@PKG_VERSION@
PACKAGE_DIR=debian/$(PACKAGE_NAME)
SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
build: build-arch build-indep
build-arch:
build-indep:
clean:
dh_testdir
dh_clean
binary: binary-arch binary-indep
binary-arch:
dh_testdir
mkdir -p $(PACKAGE_DIR)/boot
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
else \
echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
false; \
fi
mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
dh_install
dh_installchangelogs
dh_installdocs -A debian/copyright debian/SOURCE
dh_lintian
dh_compress
dh_fixperms
dh_installdeb
# Copy most package relations and description from unsigned package
for field in Depends Suggests Recommends Breaks; do \
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
done
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
dh_gencontrol -- -v$(PACKAGE_VERSION)
dh_md5sums
dh_builddeb
binary-indep:
.PHONY: build build-arch build-indep clean binary binary-arch binary-indep

1
debian/signing-template/source/format vendored Normal file
View File

@ -0,0 +1 @@
3.0 (native)