the signed template together with the binary package(s) containing the unsigned
files form the input to our secure boot signing service.
the signed template consists of
- files.json (specifying which files are signed how and by which key)
- packaging template used to build the signed package(s)
the signing service
- extracts and checks the signed-template binary package
- extracts the unsigned package(s)
- signs the needed files
- packs up the signatures + the template contained in the signed-template
package into the signed source package
the signed source package can then be built in the regular fashion (in case of
the kernel packages, it will copy the kernel image, modules and some helper
files from the unsigned package, attach the signature created by the signing
service, and re-pack the result as signed-kernel package).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
long overdue, and avoids the issue of the meta packages version going down
after being folded in from the pve-kernel-meta repository.
the ABI needs to be bumped for every published kernel package now that modules
are signed, else the booted kernel image containing the public part of the
ephemeral signing key, and the on-disk (potentially upgraded in-place) signed
module files can disagree, and module loading would fail.
not changed (yet): git repository name, pve-firmware
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
lintian rightfully errors out on this one, makes no sense to depend
on an implementation detail of the perl packaging ecosystem.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This is provdied by both initramfs-tools and dracut.
Required to be able to use dracut in place of
initramfs-tools.
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
pve-headers-$(uname -r) is equivalent to
linux-headers-$(uname -r)-amd64
pve-kernel-$(uname -r) is equivalent to
linux-image-$(uname -r)-amd64
By adding a provides this should help users running
`apt install linux-headers-$(uname -r)-amd64` which is commonly
suggested in install instructions for third-party kernel-drivers on
plain debian.
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
used for compressing the kernel image, build fails if not installed.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Acked-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
needed for it to be a proper replacement for linux-libc-dev when
resolving dependencies, such as for liburing-dev
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
and put them into a new -dbgsym package for usage with
crash/kdump-tools/...
fixes#3465, and now allows to do the following (after installing
and configuring kdump-tools to collect kernel crash dumps) when the
system crashes:
$ apt install pve-kernel-5.11.21-1-dbgsym
$ crash /usr/lib/debug/boot/vmlinux-5.11.21-1-pve /var/crash/202106151236/dump.202106151236
crash 7.2.9
Copyright (C) 2002-2020 Red Hat, Inc.
Copyright (C) 2004, 2005, 2006, 2010 IBM Corporation
Copyright (C) 1999-2006 Hewlett-Packard Co
Copyright (C) 2005, 2006, 2011, 2012 Fujitsu Limited
Copyright (C) 2006, 2007 VA Linux Systems Japan K.K.
Copyright (C) 2005, 2011 NEC Corporation
Copyright (C) 1999, 2002, 2007 Silicon Graphics, Inc.
Copyright (C) 1999, 2000, 2001, 2002 Mission Critical Linux, Inc.
This program is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions. Enter "help copying" to see the conditions.
This program has absolutely no warranty. Enter "help warranty" for details.
GNU gdb (GDB) 7.6
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu"...
WARNING: kernel relocated [812MB]: patching 136336 gdb minimal_symbol values
KERNEL: /usr/lib/debug/boot/vmlinux-5.11.21-1-pve
DUMPFILE: /var/crash/202106151236/dump.202106151236 [PARTIAL DUMP]
CPUS: 4
DATE: Tue Jun 15 12:36:38 CEST 2021
UPTIME: 00:06:21
LOAD AVERAGE: 0.04, 0.11, 0.08
TASKS: 272
NODENAME: test
RELEASE: 5.11.21-1-pve
VERSION: #1 SMP PVE 5.11.21-1 (Tue, 01 Jun 2021 16:38:57 +0200)
MACHINE: x86_64 (3696 Mhz)
MEMORY: 8 GB
PANIC: "Kernel panic - not syncing: sysrq triggered crash"
PID: 3167
COMMAND: "bash"
TASK: ffff9220c8f5be00 [THREAD_INFO: ffff9220c8f5be00]
CPU: 3
STATE: TASK_RUNNING (PANIC)
crash> bt
PID: 3167 TASK: ffff9220c8f5be00 CPU: 3 COMMAND: "bash"
#0 [ffffa24ec0bfbc80] machine_kexec at ffffffffb3c751f3
#1 [ffffa24ec0bfbce0] __crash_kexec at ffffffffb3d61092
#2 [ffffa24ec0bfbdb0] panic at ffffffffb47b769d
#3 [ffffa24ec0bfbe30] sysrq_handle_crash at ffffffffb434da4a
#4 [ffffa24ec0bfbe40] __handle_sysrq.cold at ffffffffb47e2cdc
#5 [ffffa24ec0bfbe78] write_sysrq_trigger at ffffffffb434e3f8
#6 [ffffa24ec0bfbe90] proc_reg_write at ffffffffb3fc09ea
#7 [ffffa24ec0bfbeb0] vfs_write at ffffffffb3f143b6
#8 [ffffa24ec0bfbee8] ksys_write at ffffffffb3f16b97
#9 [ffffa24ec0bfbf28] __x64_sys_write at ffffffffb3f16c2a
#10 [ffffa24ec0bfbf38] do_syscall_64 at ffffffffb480e868
#11 [ffffa24ec0bfbf50] entry_SYSCALL_64_after_hwframe at ffffffffb4a0008c
RIP: 00007f367f7baf33 RSP: 00007ffe6175dc98 RFLAGS: 00000246
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f367f7baf33
RDX: 0000000000000002 RSI: 0000560510e640b0 RDI: 0000000000000001
RBP: 0000560510e640b0 R8: 000000000000000a R9: 0000000000000001
R10: 0000560510e5f800 R11: 0000000000000246 R12: 0000000000000002
R13: 00007f367f88b6a0 R14: 0000000000000002 R15: 00007f367f88b8a0
ORIG_RAX: 0000000000000001 CS: 0033 SS: 002b
as well as lots of other fun things (see 'help' after opening a crash dump).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This was long overdue, allows to access the full feature set of our
kernel for some tools using the Linux API directly.
Packaging mostly taken from Debian[0]
[0]: https://salsa.debian.org/kernel-team/linux/-/blob/debian/4.19.118-2/debian/rules.real#L367
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Reviewed-By: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Since Ubuntu Eoan the kernel compression was changed from GZIP to
LZ4, due to slightly faster load times vs. a 25% size increase
trade-off (e.g. 5.0 had ~ 8, this one has ~ 12 MB; *but* the initrd
stays roughly the same size, and that one is 5 times bigger anyway)
If we want to keep that is in the stars, but for now correctly
document the build-dependency to LZ4.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
from Depends to Recommends, since we now have an alternate bootloader
setup for some scenarios. both our installer and Debian's default setup
still install Grub by default anyway, but this allows removal without
hacks in case such an alternate bootloader is used on the system.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
RETPOLINE is now for sure included, further as this is build through
buildpackage the build dependencies are checked
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
with the help of "dpkg-checkdep" to mimic the current build-environment
asciidoc-base: used by perf man pages
automake: used by ZFS/SPL (among other things)
cpio: used in debian/rules
debhelper: used in debian/rules
kmod: used in debian/rules (depmod)
libdw-dev,libelf-dev: used for unwinder
libnuma-dev: used by perf
libslang2-dev: used by perf tui
python-minimal: used by perf
zlib1g-dev: used by perf
thank you Thomas for additional review and extensive discussions
regarding what to include (or not ;))!
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Reviewed-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
to also include tools and scripts like objtool, which are now needed for
external module building
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
with libraries that are not GPL-2-only compatible, fix previously typoed
variable, and add build-dep on libiberty-dev for CPLUS demangling.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>