diff --git a/debian/control.in b/debian/control.in index 515eaae..24d7f12 100644 --- a/debian/control.in +++ b/debian/control.in @@ -79,6 +79,13 @@ Description: Proxmox Kernel debug image to analyze kernel crashes. This package also contains the proxmox-kernel modules in their unstripped version. +Package: proxmox-kernel-@KVNAME@-signed-template +Architecture: amd64 +Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev +Description: Template for signed kernel package + This package is used to control code signing by the Proxmox signing + service. + Package: proxmox-kernel-libc-dev Section: devel Priority: optional diff --git a/debian/rules b/debian/rules index 80e1906..463aea2 100755 --- a/debian/rules +++ b/debian/rules @@ -21,6 +21,8 @@ PMX_KERNEL_SERIES_PKG=proxmox-kernel-$(KERNEL_MAJMIN) PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym PMX_HEADER_PKG=proxmox-headers-$(KVNAME) PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev +PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template +PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/') LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN) KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp @@ -117,6 +119,17 @@ debian/control: $(wildcard debian/*.in) chmod +x debian/$(PMX_HEADER_PKG).postinst sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control + # signing-template + sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog + sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control + sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json + sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm + sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst + rm debian/signing-template/*.in + cp debian/SOURCE debian/signing-template/ + build: .compile_mark .tools_compile_mark .modules_compile_mark install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark @@ -195,6 +208,22 @@ endif cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build + + # copy signing template contents + rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG} + mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian + cp -R debian/copyright \ + debian/signing-template/rules \ + debian/signing-template/control \ + debian/signing-template/source \ + debian/signing-template/changelog \ + debian/signing-template/prerm \ + debian/signing-template/postrm \ + debian/signing-template/postinst \ + debian/signing-template/SOURCE \ + debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian + cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/ + touch $@ .tools_compile_mark: .compile_mark diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in new file mode 100644 index 0000000..46b5b7a --- /dev/null +++ b/debian/signing-template/control.in @@ -0,0 +1,25 @@ +Source: proxmox-kernel-signed-@KVMAJMIN@ +Section: kernel +Priority: optional +Maintainer: Proxmox Support Team +Standards-Version: 4.2.0 +Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@) +Rules-Requires-Root: no +Vcs-Git: git://git.proxmox.com/git/pve-kernel +Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git + +Package: proxmox-kernel-@KVNAME@-signed +Section: admin +Priority: optional +Architecture: any +Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@ +Depends: ${unsigned:Depends}, ${misc:Depends} +Recommends: ${unsigned:Recommends} +Suggests: ${unsigned:Suggests} +Breaks: ${unsigned:Breaks} +Conflicts: proxmox-kernel-@KVNAME@ +Replaces: proxmox-kernel-@KVNAME@ +Description: ${unsigned:DescriptionShort} (signed) + ${unsigned:DescriptionLong} + . + This package contains the kernel image signed by the Proxmox Secure Boot CA. diff --git a/debian/signing-template/files.json.in b/debian/signing-template/files.json.in new file mode 100644 index 0000000..0fdd61c --- /dev/null +++ b/debian/signing-template/files.json.in @@ -0,0 +1,13 @@ +{ + "packages": { + "proxmox-kernel-@KVNAME@": { + "trusted_certs": [], + "files": [ + { + "sig_type": "efi", + "file": "boot/vmlinuz-@KVNAME@" + } + ] + } + } +} diff --git a/debian/signing-template/rules.in b/debian/signing-template/rules.in new file mode 100644 index 0000000..2f4ef1a --- /dev/null +++ b/debian/signing-template/rules.in @@ -0,0 +1,58 @@ +#!/usr/bin/make -f + +SHELL := bash -e + +export DH_OPTIONS + +include /usr/share/dpkg/architecture.mk + +KERNEL_VERSION=@KVNAME@ +IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION) +PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed +PACKAGE_VERSION=@PKG_VERSION@ +PACKAGE_DIR=debian/$(PACKAGE_NAME) +SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME} + +build: build-arch build-indep +build-arch: +build-indep: + +clean: + dh_testdir + dh_clean + +binary: binary-arch binary-indep +binary-arch: + dh_testdir + mkdir -p $(PACKAGE_DIR)/boot + rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/ + if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ + sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ + $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + else \ + echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \ + false; \ + fi + mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION) + rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/ + mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/ + cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/ + dh_install + dh_installchangelogs + dh_installdocs -A debian/copyright debian/SOURCE + dh_lintian + dh_compress + dh_fixperms + dh_installdeb + # Copy most package relations and description from unsigned package + for field in Depends Suggests Recommends Breaks; do \ + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \ + done + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)" + echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')" + dh_gencontrol -- -v$(PACKAGE_VERSION) + dh_md5sums + dh_builddeb +binary-indep: + +.PHONY: build build-arch build-indep clean binary binary-arch binary-indep diff --git a/debian/signing-template/source/format b/debian/signing-template/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/signing-template/source/format @@ -0,0 +1 @@ +3.0 (native)