[PATCH 0/5][disco] Add support for UEFI signed kernels on arm64

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/5][disco] Add support for UEFI signed kernels on arm64

Seth Forshee
BugLink: https://bugs.launchpad.net/bugs/1804481

The following patches add support for signed UEFI kernel images on
arm64. The first three patches are for the linux patches and the last
two are for linux-signed.

The patches are complicated a bit by the fact that our arm64 generic
kernels are gzip compressed. We wish to keep the kernels we install
compressed both in the linux-image and linux-image-unsigned packages,
however signing must be done on the uncompressed kernel image. Therefore
we decompress the kernel when adding it to the signing tarball and
recompress it when building linux-signed.

Thanks,
Seth

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/3][disco linux] UBUNTU: [Packaging] remove handoff check for uefi signing

Seth Forshee
BugLink: https://bugs.launchpad.net/bugs/1804481

This check doesn't work for arm64 and is no longer necessary for
x86, so remove it.

Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 08c2813f9657..61805f69e3fc 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -120,13 +120,8 @@ endif
 
 ifeq ($(uefi_signed),true)
  install -d $(signingv)
- # Check to see if this supports handoff, if not do not sign it.
- # Check the identification area magic and version >= 0x020b
- handoff=`dd if="$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
- if [ "$$handoff" = "GOOD" ]; then \
- cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
- $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
- fi
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi;
 endif
 ifeq ($(opal_signed),true)
  install -d $(signingv)
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/3][disco linux] UBUNTU: [Packaging] decompress gzipped efi images in signing tarball

Seth Forshee
In reply to this post by Seth Forshee
BugLink: https://bugs.launchpad.net/bugs/1804481

The arm64 generic kernel image files are gzipped. For UEFI secure
boot grub will validate the sigature on the decompressed image,
so the file in the signing tarbal must also be decompressed. It
can later be recompressed when building linux-signed.

Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 61805f69e3fc..60d1dd510174 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -120,8 +120,16 @@ endif
 
 ifeq ($(uefi_signed),true)
  install -d $(signingv)
- cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
- $(signingv)/$(instfile)-$(abi_release)-$*.efi;
+ # We use Image.gz for arm64; detect and decompress for signing
+ if [[ "$(kernfile)" =~ \.gz$$ ]]; then \
+ cat $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* | \
+ gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ cp -p --attributes-only $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ else \
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ fi
 endif
 ifeq ($(opal_signed),true)
  install -d $(signingv)
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 3/3][disco linux] UBUNTU: Build signed kernels for arm64

Seth Forshee
In reply to this post by Seth Forshee
From: dann frazier <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1804481

Signed-off-by: dann frazier <[hidden email]>
Signed-off-by: Seth Forshee <[hidden email]>
---
 debian.master/rules.d/arm64.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian.master/rules.d/arm64.mk b/debian.master/rules.d/arm64.mk
index 999e4ca8129a..23009120f797 100644
--- a/debian.master/rules.d/arm64.mk
+++ b/debian.master/rules.d/arm64.mk
@@ -7,6 +7,7 @@ build_image = Image.gz
 kernel_file = arch/$(build_arch)/boot/Image.gz
 install_file = vmlinuz
 no_dumpfile = true
+uefi_signed     = true
 
 # The uboot used in ubuntu core can't handle Image.gz, so
 # create this flavour to generate a Image just for them
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/2][disco linux-signed] UBUNTU: compress arm64 generic kernel images

Seth Forshee
In reply to this post by Seth Forshee
BugLink: https://bugs.launchpad.net/bugs/1804481

Our arm64 generic kernels are gzip compressed, but we must
uncompress them in the signing tarball. We wish for the kernel
image we install to remain compressed, so recompress it after
downloading.

This is pretty kludgy as it simply compresses efi files with
-generic in the name when the build arch is arm64. I would like
to do something nicer, however this is difficult as we don't have
information in the signed tarball about whether or not the kernel
image had originally been compressed.

Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/rules | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/debian/rules b/debian/rules
index b9afe67a162e..07bab5c2c8fc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,9 +1,11 @@
 #! /usr/bin/make -f
 
 ##export DH_VERBOSE := 1
+export SHELL=/bin/bash -e
 
 #VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
 DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
+DEB_BUILD_ARCH = $(shell dpkg-architecture -qDEB_BUILD_ARCH)
 
 # Work out the source package name and version.  We assume the source package
 # is the name of this package with -signed stripped.  The version is identical
@@ -42,6 +44,11 @@ override_dh_auto_build:
  cd "$(src_version)" || exit 1; \
  for s in *.efi.signed; do \
  [ ! -f "$$s" ] && continue; \
+ if [ "$(DEB_BUILD_ARCH)" = "arm64" ] && \
+   [[ "$$s" =~ -generic ]]; then \
+ gzip "$$s"; \
+ mv "$${s}.gz" "$$s"; \
+ fi; \
  chmod 600 "$$s"; \
  base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \
  ln "$$s" "../SIGNED/$$base"; \
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 2/2][disco linux-signed] UBUNTU: Add support for arm64

Seth Forshee
In reply to this post by Seth Forshee
From: dann frazier <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1804481

Signed-off-by: dann frazier <[hidden email]>
Signed-off-by: Seth Forshee <[hidden email]>
---
 debian/control.stub | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/debian/control.stub b/debian/control.stub
index 3f546b65f13b..13be911eb1ec 100644
--- a/debian/control.stub
+++ b/debian/control.stub
@@ -8,12 +8,12 @@ Build-Depends:
  python3,
  python3-apt,
 Build-Depends-Arch:
- sbsigntool [amd64],
+ sbsigntool [amd64 arm64],
  linux-libc-dev (>= VERSION),
 Standards-Version: 3.9.4
 
 Package: linux-image-ABI-generic
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Depends: ${unsigned:Depends}
 Recommends: ${unsigned:Recommends}
 Suggests: ${unsigned:Suggests}
@@ -41,7 +41,7 @@ Package-Type: udeb
 Section: debian-installer
 Priority: extra
 Provides: kernel-signed-image
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Built-Using: linux (= VERSION)
 Description: Signed kernel image generic for the Debian installer
  A kernel image for generic.  This version of it is signed with
@@ -50,7 +50,7 @@ Description: Signed kernel image generic for the Debian installer
 
 Package: linux-image-ABI-generic-dbgsym
 Section: devel
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Depends: linux-image-unsigned-ABI-generic-dbgsym
 Description: Signed kernel image generic
  A link to the debugging symbols for the generic signed kernel.
--
2.19.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 2/3][disco linux] UBUNTU: [Packaging] decompress gzipped efi images in signing tarball

Andy Whitcroft-3
In reply to this post by Seth Forshee
On Tue, Dec 18, 2018 at 09:57:15AM -0600, Seth Forshee wrote:

> BugLink: https://bugs.launchpad.net/bugs/1804481
>
> The arm64 generic kernel image files are gzipped. For UEFI secure
> boot grub will validate the sigature on the decompressed image,
> so the file in the signing tarbal must also be decompressed. It
> can later be recompressed when building linux-signed.
>
> Signed-off-by: Seth Forshee <[hidden email]>
> ---
>  debian/rules.d/2-binary-arch.mk | 12 ++++++++++--
>  1 file changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 61805f69e3fc..60d1dd510174 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -120,8 +120,16 @@ endif
>  
>  ifeq ($(uefi_signed),true)
>   install -d $(signingv)
> - cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> - $(signingv)/$(instfile)-$(abi_release)-$*.efi;
> + # We use Image.gz for arm64; detect and decompress for signing
> + if [[ "$(kernfile)" =~ \.gz$$ ]]; then \
> + cat $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* | \
> + gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
Why would this not be

                < $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
                        gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \

> + cp -p --attributes-only $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> + $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
> + else \
> + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> + $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
> + fi
>  endif
>  ifeq ($(opal_signed),true)
>   install -d $(signingv)

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 1/2][disco linux-signed] UBUNTU: compress arm64 generic kernel images

Andy Whitcroft-3
In reply to this post by Seth Forshee
On Tue, Dec 18, 2018 at 09:57:17AM -0600, Seth Forshee wrote:

> BugLink: https://bugs.launchpad.net/bugs/1804481
>
> Our arm64 generic kernels are gzip compressed, but we must
> uncompress them in the signing tarball. We wish for the kernel
> image we install to remain compressed, so recompress it after
> downloading.
>
> This is pretty kludgy as it simply compresses efi files with
> -generic in the name when the build arch is arm64. I would like
> to do something nicer, however this is difficult as we don't have
> information in the signed tarball about whether or not the kernel
> image had originally been compressed.
>
> Signed-off-by: Seth Forshee <[hidden email]>
> ---
>  debian/rules | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/debian/rules b/debian/rules
> index b9afe67a162e..07bab5c2c8fc 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -1,9 +1,11 @@
>  #! /usr/bin/make -f
>  
>  ##export DH_VERBOSE := 1
> +export SHELL=/bin/bash -e
>  
>  #VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
>  DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
> +DEB_BUILD_ARCH = $(shell dpkg-architecture -qDEB_BUILD_ARCH)
>  
>  # Work out the source package name and version.  We assume the source package
>  # is the name of this package with -signed stripped.  The version is identical
> @@ -42,6 +44,11 @@ override_dh_auto_build:
>   cd "$(src_version)" || exit 1; \
>   for s in *.efi.signed; do \
>   [ ! -f "$$s" ] && continue; \
> + if [ "$(DEB_BUILD_ARCH)" = "arm64" ] && \
> +   [[ "$$s" =~ -generic ]]; then \
> + gzip "$$s"; \
> + mv "$${s}.gz" "$$s"; \
> + fi; \

Ugg, as everything you put in the signing tarball is maintained, and
safely ignored.  Could we not like touch in a foo.efi.recompress flag
file in the upload?

>   chmod 600 "$$s"; \
>   base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \
>   ln "$$s" "../SIGNED/$$base"; \

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 1/2][disco linux-signed] UBUNTU: compress arm64 generic kernel images

Seth Forshee
On Tue, Jan 08, 2019 at 02:25:53PM +0000, Andy Whitcroft wrote:

> On Tue, Dec 18, 2018 at 09:57:17AM -0600, Seth Forshee wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1804481
> >
> > Our arm64 generic kernels are gzip compressed, but we must
> > uncompress them in the signing tarball. We wish for the kernel
> > image we install to remain compressed, so recompress it after
> > downloading.
> >
> > This is pretty kludgy as it simply compresses efi files with
> > -generic in the name when the build arch is arm64. I would like
> > to do something nicer, however this is difficult as we don't have
> > information in the signed tarball about whether or not the kernel
> > image had originally been compressed.
> >
> > Signed-off-by: Seth Forshee <[hidden email]>
> > ---
> >  debian/rules | 7 +++++++
> >  1 file changed, 7 insertions(+)
> >
> > diff --git a/debian/rules b/debian/rules
> > index b9afe67a162e..07bab5c2c8fc 100755
> > --- a/debian/rules
> > +++ b/debian/rules
> > @@ -1,9 +1,11 @@
> >  #! /usr/bin/make -f
> >  
> >  ##export DH_VERBOSE := 1
> > +export SHELL=/bin/bash -e
> >  
> >  #VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
> >  DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH)
> > +DEB_BUILD_ARCH = $(shell dpkg-architecture -qDEB_BUILD_ARCH)
> >  
> >  # Work out the source package name and version.  We assume the source package
> >  # is the name of this package with -signed stripped.  The version is identical
> > @@ -42,6 +44,11 @@ override_dh_auto_build:
> >   cd "$(src_version)" || exit 1; \
> >   for s in *.efi.signed; do \
> >   [ ! -f "$$s" ] && continue; \
> > + if [ "$(DEB_BUILD_ARCH)" = "arm64" ] && \
> > +   [[ "$$s" =~ -generic ]]; then \
> > + gzip "$$s"; \
> > + mv "$${s}.gz" "$$s"; \
> > + fi; \
>
> Ugg, as everything you put in the signing tarball is maintained, and
> safely ignored.  Could we not like touch in a foo.efi.recompress flag
> file in the upload?

Great, as stated in the commit message I didn't like the "assume arm64
generic should be compressed" bit,  but I didn't know that signing would
ignore extensions it doesn't know about. So I will change this to do
something like you suggest.

>
> >   chmod 600 "$$s"; \
> >   base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \
> >   ln "$$s" "../SIGNED/$$base"; \
>
> -apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH 2/3][disco linux] UBUNTU: [Packaging] decompress gzipped efi images in signing tarball

Seth Forshee
In reply to this post by Andy Whitcroft-3
On Tue, Jan 08, 2019 at 02:24:03PM +0000, Andy Whitcroft wrote:

> On Tue, Dec 18, 2018 at 09:57:15AM -0600, Seth Forshee wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1804481
> >
> > The arm64 generic kernel image files are gzipped. For UEFI secure
> > boot grub will validate the sigature on the decompressed image,
> > so the file in the signing tarbal must also be decompressed. It
> > can later be recompressed when building linux-signed.
> >
> > Signed-off-by: Seth Forshee <[hidden email]>
> > ---
> >  debian/rules.d/2-binary-arch.mk | 12 ++++++++++--
> >  1 file changed, 10 insertions(+), 2 deletions(-)
> >
> > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> > index 61805f69e3fc..60d1dd510174 100644
> > --- a/debian/rules.d/2-binary-arch.mk
> > +++ b/debian/rules.d/2-binary-arch.mk
> > @@ -120,8 +120,16 @@ endif
> >  
> >  ifeq ($(uefi_signed),true)
> >   install -d $(signingv)
> > - cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> > - $(signingv)/$(instfile)-$(abi_release)-$*.efi;
> > + # We use Image.gz for arm64; detect and decompress for signing
> > + if [[ "$(kernfile)" =~ \.gz$$ ]]; then \
> > + cat $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* | \
> > + gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
> Why would this not be
>
> < $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \

No reason I suppose, will change this for v2.

>
> > + cp -p --attributes-only $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> > + $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
> > + else \
> > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> > + $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
> > + fi
> >  endif
> >  ifeq ($(opal_signed),true)
> >   install -d $(signingv)
>
> -apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team