pve-kernel-qoup/debian/signing-template/rules.in
Fabian Grünbichler 2b3d5a2269 build: add proxmox-kernel-X.Y-pve-signed-template
the signed template together with the binary package(s) containing the unsigned
files form the input to our secure boot signing service.

the signed template consists of
- files.json (specifying which files are signed how and by which key)
- packaging template used to build the signed package(s)

the signing service
- extracts and checks the signed-template binary package
- extracts the unsigned package(s)
- signs the needed files
- packs up the signatures + the template contained in the signed-template
  package into the signed source package

the signed source package can then be built in the regular fashion (in case of
the kernel packages, it will copy the kernel image, modules and some helper
files from the unsigned package, attach the signature created by the signing
service, and re-pack the result as signed-kernel package).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2023-11-20 12:28:56 +01:00

59 lines
2.0 KiB
Makefile

#!/usr/bin/make -f
SHELL := bash -e
export DH_OPTIONS
include /usr/share/dpkg/architecture.mk
KERNEL_VERSION=@KVNAME@
IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
PACKAGE_VERSION=@PKG_VERSION@
PACKAGE_DIR=debian/$(PACKAGE_NAME)
SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
build: build-arch build-indep
build-arch:
build-indep:
clean:
dh_testdir
dh_clean
binary: binary-arch binary-indep
binary-arch:
dh_testdir
mkdir -p $(PACKAGE_DIR)/boot
rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
else \
echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
false; \
fi
mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
dh_install
dh_installchangelogs
dh_installdocs -A debian/copyright debian/SOURCE
dh_lintian
dh_compress
dh_fixperms
dh_installdeb
# Copy most package relations and description from unsigned package
for field in Depends Suggests Recommends Breaks; do \
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
done
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
dh_gencontrol -- -v$(PACKAGE_VERSION)
dh_md5sums
dh_builddeb
binary-indep:
.PHONY: build build-arch build-indep clean binary binary-arch binary-indep