[PATCH v2 0/5][disco] Add support for UEFI signed kernels on arm64

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 0/5][disco] Add support for UEFI signed kernels on arm64

dann frazier-4
BugLink: https://bugs.launchpad.net/bugs/1804481

The following patches add support for signed UEFI kernel images on
arm64. The first three patches are for the linux package and the last
two are for linux-signed.

The patches are complicated a bit by the fact that our arm64 generic
kernels are gzip compressed. We wish to keep the kernels we install
compressed both in the linux-image and linux-image-unsigned packages,
however signing must be done on the uncompressed kernel image. Therefore
we decompress the kernel when adding it to the signing tarball and bundle
a configuration file to signal linux-signed to recompress.

Test builds are available here:
  https://launchpad.net/~dannf/+archive/ubuntu/arm64-signed

v2:
  - Add support for a <efi-image>.vars config in the signed tarball,
    and support a GZIP=1 setting to tell linux-signed that the signed
    image should be recompressed.
  - Use maximum gzip compression when recompressing, to match the
    unsigned image.
  - Include snapdragon flavor support.
  - Kill the cat.

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 1/3][disco linux] UBUNTU: [Packaging] remove handoff check for uefi signing

dann frazier-4
From: Seth Forshee <[hidden email]>

This check doesn't work for arm64 and is no longer necessary for
x86, so remove it.

Signed-off-by: Seth Forshee <[hidden email]>
Signed-off-by: dann frazier <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 08c2813f96571..61805f69e3fcd 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -120,13 +120,8 @@ endif
 
 ifeq ($(uefi_signed),true)
  install -d $(signingv)
- # Check to see if this supports handoff, if not do not sign it.
- # Check the identification area magic and version >= 0x020b
- handoff=`dd if="$(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$*" bs=1 skip=514 count=6 2>/dev/null | od -s | gawk '($$1 == 0 && $$2 == 25672 && $$3 == 21362 && $$4 >= 523) { print "GOOD" }'`; \
- if [ "$$handoff" = "GOOD" ]; then \
- cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
- $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
- fi
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi;
 endif
 ifeq ($(opal_signed),true)
  install -d $(signingv)
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 2/3][disco linux] UBUNTU: [Packaging] decompress gzipped efi images in signing tarball

dann frazier-4
In reply to this post by dann frazier-4
From: Seth Forshee <[hidden email]>

The arm64 generic kernel image files are gzipped. For UEFI secure
boot grub will validate the sigature on the decompressed image,
so the file in the signing tarbal must also be decompressed.

When this happens we want the kernel to be recompressed in the
linux-image package, but we don't currently have a way to let
linux-signed know that this should happen. Facilitate this by
adding a <efi-image>.vars file to the signing tarball which will
contain shell variables and can be sourced during linux-signed
build. Add "GZIP=1" to this file when decompressing the kernel
image to indicate that the kernel image should be gzipped after
signing.

Signed-off-by: Seth Forshee <[hidden email]>
Signed-off-by: dann frazier <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 61805f69e3fcd..55ce305ffcc8a 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -120,8 +120,17 @@ endif
 
 ifeq ($(uefi_signed),true)
  install -d $(signingv)
- cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
- $(signingv)/$(instfile)-$(abi_release)-$*.efi;
+ # gzipped kernel images must be decompressed for signing
+ if [[ "$(kernfile)" =~ \.gz$$ ]]; then \
+ < $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ cp -p --attributes-only $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ echo "GZIP=1" >> $(signingv)/$(instfile)-$(abi_release)-$*.efi.vars; \
+ else \
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+ fi
 endif
 ifeq ($(opal_signed),true)
  install -d $(signingv)
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 3/3][disco linux] UBUNTU: Build signed kernels for arm64

dann frazier-4
In reply to this post by dann frazier-4
BugLink: https://bugs.launchpad.net/bugs/1804481

Signed-off-by: dann frazier <[hidden email]>
Signed-off-by: Seth Forshee <[hidden email]>
---
 debian.master/rules.d/arm64.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian.master/rules.d/arm64.mk b/debian.master/rules.d/arm64.mk
index 999e4ca8129a3..23009120f7972 100644
--- a/debian.master/rules.d/arm64.mk
+++ b/debian.master/rules.d/arm64.mk
@@ -7,6 +7,7 @@ build_image = Image.gz
 kernel_file = arch/$(build_arch)/boot/Image.gz
 install_file = vmlinuz
 no_dumpfile = true
+uefi_signed     = true
 
 # The uboot used in ubuntu core can't handle Image.gz, so
 # create this flavour to generate a Image just for them
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 1/2][disco linux-signed] UBUNTU: support recompression of signed kernels

dann frazier-4
In reply to this post by dann frazier-4
From: Seth Forshee <[hidden email]>

BugLink: https://bugs.launchpad.net/bugs/1804481

Our arm64 generic kernels are compressed, but they must be
decompressed for signing. The kernel build will indicate that a
signed kernel image should be recompressed by adding GZIP=1 into
a <kernel-image>.vars file in the signing tarball. Add support
for reading the contents of this file and compressing the kernel
image when GZIP=1.

Signed-off-by: Seth Forshee <[hidden email]>
[ dannf: Use maximum gzip compression to match unsigned build ]
Signed-off-by: dann frazier <[hidden email]>
---
 debian/rules | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index b9afe67a162e..20b16d7da826 100755
--- a/debian/rules
+++ b/debian/rules
@@ -42,8 +42,16 @@ override_dh_auto_build:
  cd "$(src_version)" || exit 1; \
  for s in *.efi.signed; do \
  [ ! -f "$$s" ] && continue; \
- chmod 600 "$$s"; \
  base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \
+ ( \
+ vars="$${base}.efi.vars"; \
+ [ -f "$$vars" ] && . "./$$vars"; \
+ if [ "$$GZIP" = "1" ]; then \
+ gzip -9 "$$s"; \
+ mv "$${s}.gz" "$$s"; \
+ fi; \
+ ); \
+ chmod 600 "$$s"; \
  ln "$$s" "../SIGNED/$$base"; \
  done; \
  for s in *.opal.sig; do \
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH v2 2/2][disco linux-signed] UBUNTU: Add support for arm64

dann frazier-4
In reply to this post by dann frazier-4
BugLink: https://bugs.launchpad.net/bugs/1804481

Signed-off-by: dann frazier <[hidden email]>
---
 debian/control.stub | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/debian/control.stub b/debian/control.stub
index 3f546b65f13b..049add06d448 100644
--- a/debian/control.stub
+++ b/debian/control.stub
@@ -8,12 +8,12 @@ Build-Depends:
  python3,
  python3-apt,
 Build-Depends-Arch:
- sbsigntool [amd64],
+ sbsigntool [amd64 arm64],
  linux-libc-dev (>= VERSION),
 Standards-Version: 3.9.4
 
 Package: linux-image-ABI-generic
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Depends: ${unsigned:Depends}
 Recommends: ${unsigned:Recommends}
 Suggests: ${unsigned:Suggests}
@@ -36,12 +36,24 @@ Description: Signed kernel image lowlatency
  A kernel image for lowlatency.  This version of it is signed with
  Canonical's UEFI signing key.
 
+Package: linux-image-ABI-snapdragon
+Architecture: arm64
+Depends: ${unsigned:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Conflicts: ${unsigned:Conflicts}
+Provides: ${unsigned:Provides}
+Built-Using: linux (= VERSION)
+Description: Signed kernel image snapdragon
+ A kernel image for snapdragon.  This version of it is signed with
+ Canonical's UEFI/Opal signing key.
+
 Package: kernel-signed-image-ABI-generic-di
 Package-Type: udeb
 Section: debian-installer
 Priority: extra
 Provides: kernel-signed-image
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Built-Using: linux (= VERSION)
 Description: Signed kernel image generic for the Debian installer
  A kernel image for generic.  This version of it is signed with
@@ -50,7 +62,7 @@ Description: Signed kernel image generic for the Debian installer
 
 Package: linux-image-ABI-generic-dbgsym
 Section: devel
-Architecture: amd64 ppc64el
+Architecture: amd64 arm64 ppc64el
 Depends: linux-image-unsigned-ABI-generic-dbgsym
 Description: Signed kernel image generic
  A link to the debugging symbols for the generic signed kernel.
--
2.20.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Acked] [PATCH v2 0/5][disco] Add support for UEFI signed kernels on arm64

Andy Whitcroft-3
In reply to this post by dann frazier-4
On Fri, Jan 25, 2019 at 10:57:20AM -0700, dann frazier wrote:

> BugLink: https://bugs.launchpad.net/bugs/1804481
>
> The following patches add support for signed UEFI kernel images on
> arm64. The first three patches are for the linux package and the last
> two are for linux-signed.
>
> The patches are complicated a bit by the fact that our arm64 generic
> kernels are gzip compressed. We wish to keep the kernels we install
> compressed both in the linux-image and linux-image-unsigned packages,
> however signing must be done on the uncompressed kernel image. Therefore
> we decompress the kernel when adding it to the signing tarball and bundle
> a configuration file to signal linux-signed to recompress.
>
> Test builds are available here:
>   https://launchpad.net/~dannf/+archive/ubuntu/arm64-signed
>
> v2:
>   - Add support for a <efi-image>.vars config in the signed tarball,
>     and support a GZIP=1 setting to tell linux-signed that the signed
>     image should be recompressed.
>   - Use maximum gzip compression when recompressing, to match the
>     unsigned image.
>   - Include snapdragon flavor support.
>   - Kill the cat.

Assuming the linkage for the debug packages is right, this looks like a
sane approach.

Acked-by: Andy Whitcroft <[hidden email]>

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH v2 0/5][disco] Add support for UEFI signed kernels on arm64

Seth Forshee
In reply to this post by dann frazier-4
On Fri, Jan 25, 2019 at 10:57:20AM -0700, dann frazier wrote:

> BugLink: https://bugs.launchpad.net/bugs/1804481
>
> The following patches add support for signed UEFI kernel images on
> arm64. The first three patches are for the linux package and the last
> two are for linux-signed.
>
> The patches are complicated a bit by the fact that our arm64 generic
> kernels are gzip compressed. We wish to keep the kernels we install
> compressed both in the linux-image and linux-image-unsigned packages,
> however signing must be done on the uncompressed kernel image. Therefore
> we decompress the kernel when adding it to the signing tarball and bundle
> a configuration file to signal linux-signed to recompress.
>
> Test builds are available here:
>   https://launchpad.net/~dannf/+archive/ubuntu/arm64-signed

Applied to disco and unstable, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [Acked] [PATCH v2 0/5][disco] Add support for UEFI signed kernels on arm64

dann frazier-4
In reply to this post by Andy Whitcroft-3
On Tue, Jan 29, 2019 at 6:24 AM Andy Whitcroft <[hidden email]> wrote:

>
> On Fri, Jan 25, 2019 at 10:57:20AM -0700, dann frazier wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1804481
> >
> > The following patches add support for signed UEFI kernel images on
> > arm64. The first three patches are for the linux package and the last
> > two are for linux-signed.
> >
> > The patches are complicated a bit by the fact that our arm64 generic
> > kernels are gzip compressed. We wish to keep the kernels we install
> > compressed both in the linux-image and linux-image-unsigned packages,
> > however signing must be done on the uncompressed kernel image. Therefore
> > we decompress the kernel when adding it to the signing tarball and bundle
> > a configuration file to signal linux-signed to recompress.
> >
> > Test builds are available here:
> >   https://launchpad.net/~dannf/+archive/ubuntu/arm64-signed
> >
> > v2:
> >   - Add support for a <efi-image>.vars config in the signed tarball,
> >     and support a GZIP=1 setting to tell linux-signed that the signed
> >     image should be recompressed.
> >   - Use maximum gzip compression when recompressing, to match the
> >     unsigned image.
> >   - Include snapdragon flavor support.
> >   - Kill the cat.
>
> Assuming the linkage for the debug packages is right, this looks like a
> sane approach.

Oh, good catch - I didn't think of that. We are missing the snapdragon
debug linkage. I'll follow up w/ a patch for that.

  -dann

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team