Ubuntu kernel-team

[SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

classic Classic list List threaded Threaded
12 messages Options
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

[Impact]
Flexible and powerful format based on Flattened Image Tree -- FIT (similar
to Flattened Device Tree). It allows the use of images with multiple
components (several kernels, ramdisks, etc.), with contents protected by
SHA1, MD5 or CRC32, etc.
More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt

The packaging changes will add support for building a FIT kernel binary
blob which can be subsequently signed. These FIT-signed kernels will be
consumed by snapcraft recipes to build kernel snaps for platforms with
U-Boot bootloader enforcing secure boot.

[Regression Potential]
Minimal. These patches add new signing logic and build script around
'fit_signed' variable. The current build for generic kernels should not be
affected.

Alfonso Sánchez-Beato (2):
  UBUNTU: [Packaging] add rules to build FIT image
  UBUNTU: [Packaging] force creation of headers directory

 debian/rules                    |  2 +-
 debian/rules.d/1-maintainer.mk  |  1 +
 debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
 debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100755 debian/scripts/build-fit

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Bionic][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

Add a fit_signed option and a script so we can build FIT images that
will be eventually signed.

Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
Signed-off-by: Shrirang Bagul <[hidden email]>
---
 debian/rules                    |  2 +-
 debian/rules.d/1-maintainer.mk  |  1 +
 debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
 debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100755 debian/scripts/build-fit

diff --git a/debian/rules b/debian/rules
index de9cdda0dff9..679a5cd2ca70 100755
--- a/debian/rules
+++ b/debian/rules
@@ -46,7 +46,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
 endif
 
 # Are any of the kernel signing options enabled.
-any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
+any_signed=$(sort $(filter-out false,$(uefi_signed) $(fit_signed) $(opal_signed)))
 ifeq ($(any_signed),true)
 bin_pkg_name=$(bin_pkg_name_unsigned)
 else
diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
index 8144be29523e..82683290cabb 100644
--- a/debian/rules.d/1-maintainer.mk
+++ b/debian/rules.d/1-maintainer.mk
@@ -91,6 +91,7 @@ printenv:
  @echo "any_signed                = $(any_signed)"
  @echo " uefi_signed               = $(uefi_signed)"
  @echo " opal_signed               = $(opal_signed)"
+ @echo " fit_signed                = $(fit_signed)"
  @echo "full_build                = $(full_build)"
  @echo "libc_dev_version          = $(libc_dev_version)"
  @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 503ed2694055..0b91b83d88d2 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -447,6 +447,20 @@ endif
  install -m644 $(abidir)/$*.compiler \
  $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
 
+ifeq ($(fit_signed),true)
+ install -d $(signingv)
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*;
+# Build FIT image now that the modules folder exists
+ $(SHELL) $(DROOT)/scripts/build-fit \
+ $(CURDIR)/$(DEBIAN)/$(fit_its) \
+ "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
+ $(abi_release)-$(target_flavour) \
+ $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
+ $(signingv)
+ cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
+endif
+
 headers_tmp := $(CURDIR)/debian/tmp-headers
 headers_dir := $(CURDIR)/debian/linux-libc-dev
 
diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
new file mode 100755
index 000000000000..09292611e39d
--- /dev/null
+++ b/debian/scripts/build-fit
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+# Creates a FIT image
+# $1: ITS file (FIT components description)
+# $2: list of space-separated dtb files
+# $3: kernel version
+# $4: kernel modules directory
+# $5: destination directory
+
+. debian/debian.env
+
+echo "Creating FIT image"
+fit_its="$1"
+dtb_files="$2"
+KERNEL_VERSION="$3"
+KERNEL_MODULES_D="$4"
+dest_d="$5"
+
+set -x
+fit_d=$dest_d
+mkdir -p "$fit_d"
+# Export variables to be used by hooks
+export KERNEL_VERSION
+export KERNEL_MODULES_D
+initrd_f=initrd.img
+mkinitramfs -o "$initrd_f"
+mv "$initrd_f" "$fit_d"
+
+mkdir -p "$fit_d"/dtbs/
+for dtb in $dtb_files; do
+    cp -f "$dtb" "$fit_d"/dtbs/
+done
+
+cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage
+cp -f "$fit_its" "$fit_d"
+
+cd "$fit_d"
+mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
+cd -
+
+rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

[SRU][Xenial][Bionic][PATCH 2/2] UBUNTU: [Packaging] force creation of headers directory

Shrirang Bagul
In reply to this post by Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

Due to a race condition, some times the headers directory already
exists when running the install-arch-headers rule. Make sure we do
not fail in that case.

Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
Signed-off-by: Shrirang Bagul <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 0b91b83d88d2..c4c15517e491 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -491,7 +491,8 @@ endif
  find . -name '.' -o -name '.*' -prune -o -print | \
                 cpio -pvd --preserve-modification-time \
  $(headers_dir)/usr/include/ )
- mkdir $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)
+ mkdir -p $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)
+ rm -rf $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)/asm
  mv $(headers_dir)/usr/include/asm $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)/
 
  rm -rf $(headers_tmp)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Andy Whitcroft-3
Reply | Threaded
Open this post in threaded view
|

[Acked/CMT] [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Andy Whitcroft-3
In reply to this post by Shrirang Bagul
On Mon, Oct 14, 2019 at 06:09:11PM +0800, Shrirang Bagul wrote:

> BugLink: https://bugs.launchpad.net/bugs/1847969
>
> [Impact]
> Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> to Flattened Device Tree). It allows the use of images with multiple
> components (several kernels, ramdisks, etc.), with contents protected by
> SHA1, MD5 or CRC32, etc.
> More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
>
> The packaging changes will add support for building a FIT kernel binary
> blob which can be subsequently signed. These FIT-signed kernels will be
> consumed by snapcraft recipes to build kernel snaps for platforms with
> U-Boot bootloader enforcing secure boot.
>
> [Regression Potential]
> Minimal. These patches add new signing logic and build script around
> 'fit_signed' variable. The current build for generic kernels should not be
> affected.
>
> Alfonso Sánchez-Beato (2):
>   UBUNTU: [Packaging] add rules to build FIT image
>   UBUNTU: [Packaging] force creation of headers directory
>
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 58 insertions(+), 2 deletions(-)
>  create mode 100755 debian/scripts/build-fit

These look reasonable.  I am slightly supprised by the second one
needing to exist, but the result looks safe even so.

~sforshee I assume we want to fold this into the latest kernel with s390
signing in it too.

Acked-by: Andy Whitcroft <[hidden email]>

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Seth Forshee
Reply | Threaded
Open this post in threaded view
|

Re: [Acked/CMT] [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Seth Forshee
On Mon, Oct 14, 2019 at 02:43:20PM +0100, Andy Whitcroft wrote:

> On Mon, Oct 14, 2019 at 06:09:11PM +0800, Shrirang Bagul wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1847969
> >
> > [Impact]
> > Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> > to Flattened Device Tree). It allows the use of images with multiple
> > components (several kernels, ramdisks, etc.), with contents protected by
> > SHA1, MD5 or CRC32, etc.
> > More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
> >
> > The packaging changes will add support for building a FIT kernel binary
> > blob which can be subsequently signed. These FIT-signed kernels will be
> > consumed by snapcraft recipes to build kernel snaps for platforms with
> > U-Boot bootloader enforcing secure boot.
> >
> > [Regression Potential]
> > Minimal. These patches add new signing logic and build script around
> > 'fit_signed' variable. The current build for generic kernels should not be
> > affected.
> >
> > Alfonso Sánchez-Beato (2):
> >   UBUNTU: [Packaging] add rules to build FIT image
> >   UBUNTU: [Packaging] force creation of headers directory
> >
> >  debian/rules                    |  2 +-
> >  debian/rules.d/1-maintainer.mk  |  1 +
> >  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
> >  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
> >  4 files changed, 58 insertions(+), 2 deletions(-)
> >  create mode 100755 debian/scripts/build-fit
>
> These look reasonable.  I am slightly supprised by the second one
> needing to exist, but the result looks safe even so.
>
> ~sforshee I assume we want to fold this into the latest kernel with s390
> signing in it too.

Yes, I think we probably want to add it to unstable at minimum. Not sure
that's it's relevant to eoan, but if so we're at the SRU stage now.

>
> Acked-by: Andy Whitcroft <[hidden email]>
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

Re: [Acked/CMT] [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Shrirang Bagul
On Mon, 2019-10-14 at 10:49 -0500, Seth Forshee wrote:

> On Mon, Oct 14, 2019 at 02:43:20PM +0100, Andy Whitcroft wrote:
> > On Mon, Oct 14, 2019 at 06:09:11PM +0800, Shrirang Bagul wrote:
> > > BugLink: https://bugs.launchpad.net/bugs/1847969
> > >
> > > [Impact]
> > > Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> > > to Flattened Device Tree). It allows the use of images with multiple
> > > components (several kernels, ramdisks, etc.), with contents protected by
> > > SHA1, MD5 or CRC32, etc.
> > > More details:
> > > https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
> > >
> > > The packaging changes will add support for building a FIT kernel binary
> > > blob which can be subsequently signed. These FIT-signed kernels will be
> > > consumed by snapcraft recipes to build kernel snaps for platforms with
> > > U-Boot bootloader enforcing secure boot.
> > >
> > > [Regression Potential]
> > > Minimal. These patches add new signing logic and build script around
> > > 'fit_signed' variable. The current build for generic kernels should not be
> > > affected.
> > >
> > > Alfonso Sánchez-Beato (2):
> > >   UBUNTU: [Packaging] add rules to build FIT image
> > >   UBUNTU: [Packaging] force creation of headers directory
> > >
> > >  debian/rules                    |  2 +-
> > >  debian/rules.d/1-maintainer.mk  |  1 +
> > >  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
> > >  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
> > >  4 files changed, 58 insertions(+), 2 deletions(-)
> > >  create mode 100755 debian/scripts/build-fit
> >
> > These look reasonable.  I am slightly supprised by the second one
> > needing to exist, but the result looks safe even so.
> >
> > ~sforshee I assume we want to fold this into the latest kernel with s390
> > signing in it too.
>
> Yes, I think we probably want to add it to unstable at minimum. Not sure
> that's it's relevant to eoan, but if so we're at the SRU stage now.
I'll send a separate series of patches for 'unstable'.

/Shrirang

>
> >
> > Acked-by: Andy Whitcroft <[hidden email]>
> >
> > -apw
> >
> > --
> > kernel-team mailing list
> > [hidden email]
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Kleber Souza
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][Xenial][Bionic][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Kleber Souza
In reply to this post by Shrirang Bagul
On 14.10.19 12:09, Shrirang Bagul wrote:

> BugLink: https://bugs.launchpad.net/bugs/1847969
>
> Add a fit_signed option and a script so we can build FIT images that
> will be eventually signed.
>
> Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
> Signed-off-by: Shrirang Bagul <[hidden email]>
> ---
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 56 insertions(+), 1 deletion(-)
>  create mode 100755 debian/scripts/build-fit
>
> diff --git a/debian/rules b/debian/rules
> index de9cdda0dff9..679a5cd2ca70 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -46,7 +46,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
>  endif
>  
>  # Are any of the kernel signing options enabled.
> -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
> +any_signed=$(sort $(filter-out false,$(uefi_signed) $(fit_signed) $(opal_signed)))
>  ifeq ($(any_signed),true)
>  bin_pkg_name=$(bin_pkg_name_unsigned)
>  else
> diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> index 8144be29523e..82683290cabb 100644
> --- a/debian/rules.d/1-maintainer.mk
> +++ b/debian/rules.d/1-maintainer.mk
> @@ -91,6 +91,7 @@ printenv:
>   @echo "any_signed                = $(any_signed)"
>   @echo " uefi_signed               = $(uefi_signed)"
>   @echo " opal_signed               = $(opal_signed)"
> + @echo " fit_signed                = $(fit_signed)"
>   @echo "full_build                = $(full_build)"
>   @echo "libc_dev_version          = $(libc_dev_version)"
>   @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 503ed2694055..0b91b83d88d2 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -447,6 +447,20 @@ endif
>   install -m644 $(abidir)/$*.compiler \
>   $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
>  
> +ifeq ($(fit_signed),true)
> + install -d $(signingv)
> + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> + $(signingv)/$(instfile)-$(abi_release)-$*;
> +# Build FIT image now that the modules folder exists

Should the comment be indented as well?

> + $(SHELL) $(DROOT)/scripts/build-fit \
> + $(CURDIR)/$(DEBIAN)/$(fit_its) \
> + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
> + $(abi_release)-$(target_flavour) \
> + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
> + $(signingv)
> + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
> +endif
> +
>  headers_tmp := $(CURDIR)/debian/tmp-headers
>  headers_dir := $(CURDIR)/debian/linux-libc-dev
>  
> diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
> new file mode 100755
> index 000000000000..09292611e39d
> --- /dev/null
> +++ b/debian/scripts/build-fit
> @@ -0,0 +1,40 @@
> +#!/bin/sh -e
> +# Creates a FIT image
> +# $1: ITS file (FIT components description)
> +# $2: list of space-separated dtb files
> +# $3: kernel version
> +# $4: kernel modules directory
> +# $5: destination directory
> +
> +. debian/debian.env
> +
> +echo "Creating FIT image"
> +fit_its="$1"
> +dtb_files="$2"
> +KERNEL_VERSION="$3"
> +KERNEL_MODULES_D="$4"
> +dest_d="$5"
> +
> +set -x
> +fit_d=$dest_d
> +mkdir -p "$fit_d"
> +# Export variables to be used by hooks
> +export KERNEL_VERSION
> +export KERNEL_MODULES_D
> +initrd_f=initrd.img
> +mkinitramfs -o "$initrd_f"
> +mv "$initrd_f" "$fit_d"
> +
> +mkdir -p "$fit_d"/dtbs/
> +for dtb in $dtb_files; do
> +    cp -f "$dtb" "$fit_d"/dtbs/
> +done
> +
> +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage
> +cp -f "$fit_its" "$fit_d"
> +
> +cd "$fit_d"
> +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
> +cd -
> +
> +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Kleber Souza
Reply | Threaded
Open this post in threaded view
|

ACK/cmnt: [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Kleber Souza
In reply to this post by Shrirang Bagul
On 14.10.19 12:09, Shrirang Bagul wrote:

> BugLink: https://bugs.launchpad.net/bugs/1847969
>
> [Impact]
> Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> to Flattened Device Tree). It allows the use of images with multiple
> components (several kernels, ramdisks, etc.), with contents protected by
> SHA1, MD5 or CRC32, etc.
> More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
>
> The packaging changes will add support for building a FIT kernel binary
> blob which can be subsequently signed. These FIT-signed kernels will be
> consumed by snapcraft recipes to build kernel snaps for platforms with
> U-Boot bootloader enforcing secure boot.
>
> [Regression Potential]
> Minimal. These patches add new signing logic and build script around
> 'fit_signed' variable. The current build for generic kernels should not be
> affected.
>
> Alfonso Sánchez-Beato (2):
>   UBUNTU: [Packaging] add rules to build FIT image
>   UBUNTU: [Packaging] force creation of headers directory
>
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 58 insertions(+), 2 deletions(-)
>  create mode 100755 debian/scripts/build-fit
>

Looks good, the patches don't impact the binaries currently being built.
I have only a small comment about an indentation issue on Patch 1/2.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

Re: [SRU][Xenial][Bionic][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Shrirang Bagul
In reply to this post by Kleber Souza
On Thu, 2019-10-17 at 16:42 +0200, Kleber Souza wrote:

> On 14.10.19 12:09, Shrirang Bagul wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1847969
> >
> > Add a fit_signed option and a script so we can build FIT images that
> > will be eventually signed.
> >
> > Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
> > Signed-off-by: Shrirang Bagul <[hidden email]>
> > ---
> >  debian/rules                    |  2 +-
> >  debian/rules.d/1-maintainer.mk  |  1 +
> >  debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
> >  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
> >  4 files changed, 56 insertions(+), 1 deletion(-)
> >  create mode 100755 debian/scripts/build-fit
> >
> > diff --git a/debian/rules b/debian/rules
> > index de9cdda0dff9..679a5cd2ca70 100755
> > --- a/debian/rules
> > +++ b/debian/rules
> > @@ -46,7 +46,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
> >  endif
> >  
> >  # Are any of the kernel signing options enabled.
> > -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
> > +any_signed=$(sort $(filter-out false,$(uefi_signed) $(fit_signed) $(opal_signed)))
> >  ifeq ($(any_signed),true)
> >  bin_pkg_name=$(bin_pkg_name_unsigned)
> >  else
> > diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> > index 8144be29523e..82683290cabb 100644
> > --- a/debian/rules.d/1-maintainer.mk
> > +++ b/debian/rules.d/1-maintainer.mk
> > @@ -91,6 +91,7 @@ printenv:
> >   @echo "any_signed                = $(any_signed)"
> >   @echo " uefi_signed               = $(uefi_signed)"
> >   @echo " opal_signed               = $(opal_signed)"
> > + @echo " fit_signed                = $(fit_signed)"
> >   @echo "full_build                = $(full_build)"
> >   @echo "libc_dev_version          = $(libc_dev_version)"
> >   @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> > diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> > index 503ed2694055..0b91b83d88d2 100644
> > --- a/debian/rules.d/2-binary-arch.mk
> > +++ b/debian/rules.d/2-binary-arch.mk
> > @@ -447,6 +447,20 @@ endif
> >   install -m644 $(abidir)/$*.compiler \
> >   $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
> >  
> > +ifeq ($(fit_signed),true)
> > + install -d $(signingv)
> > + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> > + $(signingv)/$(instfile)-$(abi_release)-$*;
> > +# Build FIT image now that the modules folder exists
>
> Should the comment be indented as well?
Thanks for the review. The comment should have been indented too, sorry I missed that
before submitting the patches. Should I resend with the necessary changes?

/Shrirang

>
> > + $(SHELL) $(DROOT)/scripts/build-fit \
> > + $(CURDIR)/$(DEBIAN)/$(fit_its) \
> > + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
> > + $(abi_release)-$(target_flavour) \
> > + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
> > + $(signingv)
> > + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
> > +endif
> > +
> >  headers_tmp := $(CURDIR)/debian/tmp-headers
> >  headers_dir := $(CURDIR)/debian/linux-libc-dev
> >  
> > diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
> > new file mode 100755
> > index 000000000000..09292611e39d
> > --- /dev/null
> > +++ b/debian/scripts/build-fit
> > @@ -0,0 +1,40 @@
> > +#!/bin/sh -e
> > +# Creates a FIT image
> > +# $1: ITS file (FIT components description)
> > +# $2: list of space-separated dtb files
> > +# $3: kernel version
> > +# $4: kernel modules directory
> > +# $5: destination directory
> > +
> > +. debian/debian.env
> > +
> > +echo "Creating FIT image"
> > +fit_its="$1"
> > +dtb_files="$2"
> > +KERNEL_VERSION="$3"
> > +KERNEL_MODULES_D="$4"
> > +dest_d="$5"
> > +
> > +set -x
> > +fit_d=$dest_d
> > +mkdir -p "$fit_d"
> > +# Export variables to be used by hooks
> > +export KERNEL_VERSION
> > +export KERNEL_MODULES_D
> > +initrd_f=initrd.img
> > +mkinitramfs -o "$initrd_f"
> > +mv "$initrd_f" "$fit_d"
> > +
> > +mkdir -p "$fit_d"/dtbs/
> > +for dtb in $dtb_files; do
> > +    cp -f "$dtb" "$fit_d"/dtbs/
> > +done
> > +
> > +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage
> > +cp -f "$fit_its" "$fit_d"
> > +
> > +cd "$fit_d"
> > +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
> > +cd -
> > +
> > +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
> >
>
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Khaled Elmously
Reply | Threaded
Open this post in threaded view
|

APPLIED/cmt: [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Khaled Elmously
In reply to this post by Shrirang Bagul
Applied, after fixing the comment indentation pointed out by Kleber.


On 2019-10-14 18:09:11 , Shrirang Bagul wrote:

> BugLink: https://bugs.launchpad.net/bugs/1847969
>
> [Impact]
> Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> to Flattened Device Tree). It allows the use of images with multiple
> components (several kernels, ramdisks, etc.), with contents protected by
> SHA1, MD5 or CRC32, etc.
> More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
>
> The packaging changes will add support for building a FIT kernel binary
> blob which can be subsequently signed. These FIT-signed kernels will be
> consumed by snapcraft recipes to build kernel snaps for platforms with
> U-Boot bootloader enforcing secure boot.
>
> [Regression Potential]
> Minimal. These patches add new signing logic and build script around
> 'fit_signed' variable. The current build for generic kernels should not be
> affected.
>
> Alfonso Sánchez-Beato (2):
>   UBUNTU: [Packaging] add rules to build FIT image
>   UBUNTU: [Packaging] force creation of headers directory
>
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 58 insertions(+), 2 deletions(-)
>  create mode 100755 debian/scripts/build-fit
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Seth Forshee
Reply | Threaded
Open this post in threaded view
|

Re: [Acked/CMT] [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Seth Forshee
In reply to this post by Shrirang Bagul
On Tue, Oct 15, 2019 at 08:18:54PM +0800, Shrirang Bagul wrote:

> On Mon, 2019-10-14 at 10:49 -0500, Seth Forshee wrote:
> > On Mon, Oct 14, 2019 at 02:43:20PM +0100, Andy Whitcroft wrote:
> > > On Mon, Oct 14, 2019 at 06:09:11PM +0800, Shrirang Bagul wrote:
> > > > BugLink: https://bugs.launchpad.net/bugs/1847969
> > > >
> > > > [Impact]
> > > > Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> > > > to Flattened Device Tree). It allows the use of images with multiple
> > > > components (several kernels, ramdisks, etc.), with contents protected by
> > > > SHA1, MD5 or CRC32, etc.
> > > > More details:
> > > > https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
> > > >
> > > > The packaging changes will add support for building a FIT kernel binary
> > > > blob which can be subsequently signed. These FIT-signed kernels will be
> > > > consumed by snapcraft recipes to build kernel snaps for platforms with
> > > > U-Boot bootloader enforcing secure boot.
> > > >
> > > > [Regression Potential]
> > > > Minimal. These patches add new signing logic and build script around
> > > > 'fit_signed' variable. The current build for generic kernels should not be
> > > > affected.
> > > >
> > > > Alfonso Sánchez-Beato (2):
> > > >   UBUNTU: [Packaging] add rules to build FIT image
> > > >   UBUNTU: [Packaging] force creation of headers directory
> > > >
> > > >  debian/rules                    |  2 +-
> > > >  debian/rules.d/1-maintainer.mk  |  1 +
> > > >  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
> > > >  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
> > > >  4 files changed, 58 insertions(+), 2 deletions(-)
> > > >  create mode 100755 debian/scripts/build-fit
> > >
> > > These look reasonable.  I am slightly supprised by the second one
> > > needing to exist, but the result looks safe even so.
> > >
> > > ~sforshee I assume we want to fold this into the latest kernel with s390
> > > signing in it too.
> >
> > Yes, I think we probably want to add it to unstable at minimum. Not sure
> > that's it's relevant to eoan, but if so we're at the SRU stage now.
> I'll send a separate series of patches for 'unstable'.

Checking in on this, as I haven't seen patches for unstable yet.

Thanks,
Seth

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Shrirang Bagul
Reply | Threaded
Open this post in threaded view
|

Re: [Acked/CMT] [SRU][Xenial][Bionic][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Shrirang Bagul
On Tue, 2019-10-22 at 14:27 -0500, Seth Forshee wrote:

> On Tue, Oct 15, 2019 at 08:18:54PM +0800, Shrirang Bagul wrote:
> > On Mon, 2019-10-14 at 10:49 -0500, Seth Forshee wrote:
> > > On Mon, Oct 14, 2019 at 02:43:20PM +0100, Andy Whitcroft wrote:
> > > > On Mon, Oct 14, 2019 at 06:09:11PM +0800, Shrirang Bagul wrote:
> > > > > BugLink: https://bugs.launchpad.net/bugs/1847969
> > > > >
> > > > > [Impact]
> > > > > Flexible and powerful format based on Flattened Image Tree -- FIT (similar
> > > > > to Flattened Device Tree). It allows the use of images with multiple
> > > > > components (several kernels, ramdisks, etc.), with contents protected by
> > > > > SHA1, MD5 or CRC32, etc.
> > > > > More details:
> > > > > https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt
> > > > >
> > > > > The packaging changes will add support for building a FIT kernel binary
> > > > > blob which can be subsequently signed. These FIT-signed kernels will be
> > > > > consumed by snapcraft recipes to build kernel snaps for platforms with
> > > > > U-Boot bootloader enforcing secure boot.
> > > > >
> > > > > [Regression Potential]
> > > > > Minimal. These patches add new signing logic and build script around
> > > > > 'fit_signed' variable. The current build for generic kernels should not be
> > > > > affected.
> > > > >
> > > > > Alfonso Sánchez-Beato (2):
> > > > >   UBUNTU: [Packaging] add rules to build FIT image
> > > > >   UBUNTU: [Packaging] force creation of headers directory
> > > > >
> > > > >  debian/rules                    |  2 +-
> > > > >  debian/rules.d/1-maintainer.mk  |  1 +
> > > > >  debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
> > > > >  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
> > > > >  4 files changed, 58 insertions(+), 2 deletions(-)
> > > > >  create mode 100755 debian/scripts/build-fit
> > > >
> > > > These look reasonable.  I am slightly supprised by the second one
> > > > needing to exist, but the result looks safe even so.
> > > >
> > > > ~sforshee I assume we want to fold this into the latest kernel with s390
> > > > signing in it too.
> > >
> > > Yes, I think we probably want to add it to unstable at minimum. Not sure
> > > that's it's relevant to eoan, but if so we're at the SRU stage now.
> >
> > I'll send a separate series of patches for 'unstable'.
>
> Checking in on this, as I haven't seen patches for unstable yet.
The patches for unstable are now on the mailing list. I'm reusing the LP bug, hope that's
okay?

/Shrirang
>
> Thanks,
> Seth

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Free forum by Nabble Edit this page