[UNSTABLE][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 0/2] UBUNTU: [Packaging] Support building Flattened Image Tree (FIT) kernels

Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

[Impact]
Flexible and powerful format based on Flattened Image Tree -- FIT (similar
to Flattened Device Tree). It allows the use of images with multiple
components (several kernels, ramdisks, etc.), with contents protected by
SHA1, MD5 or CRC32, etc.
More details: https://gitlab.denx.de/u-boot/u-boot/blob/master/doc/uImage.FIT/howto.txt

The packaging changes will add support for building a FIT kernel binary
blob which can be subsequently signed. These FIT-signed kernels will be
consumed by snapcraft recipes to build kernel snaps for platforms with
U-Boot bootloader enforcing secure boot.

[Regression Potential]
Minimal. These patches add new signing logic and build script around
'fit_signed' variable. The current build for generic kernels should not be
affected.

Shrirang Bagul (2):
  UBUNTU: [Packaging] add rules to build FIT image
  UBUNTU: [Packaging] force creation of headers directory

 debian/rules                    |  2 +-
 debian/rules.d/1-maintainer.mk  |  1 +
 debian/rules.d/2-binary-arch.mk | 17 +++++++++++++-
 debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
 4 files changed, 58 insertions(+), 2 deletions(-)
 create mode 100755 debian/scripts/build-fit

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

Add a fit_signed option and a script so we can build FIT images that
will be eventually signed.

Based on commit (in Bionic):
44efa9e736 UBUNTU: [Packaging] add rules to build FIT image

Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
Signed-off-by: Shrirang Bagul <[hidden email]>
---
 debian/rules                    |  2 +-
 debian/rules.d/1-maintainer.mk  |  1 +
 debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
 debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100755 debian/scripts/build-fit

diff --git a/debian/rules b/debian/rules
index 8cb6604e18db..9281de598b03 100755
--- a/debian/rules
+++ b/debian/rules
@@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
 endif
 
 # Are any of the kernel signing options enabled.
-any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed)))
+any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed)))
 ifeq ($(any_signed),true)
 bin_pkg_name=$(bin_pkg_name_unsigned)
 else
diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
index 6b4e0901c288..f20f537e1364 100644
--- a/debian/rules.d/1-maintainer.mk
+++ b/debian/rules.d/1-maintainer.mk
@@ -94,6 +94,7 @@ printenv:
  @echo " uefi_signed               = $(uefi_signed)"
  @echo " opal_signed               = $(opal_signed)"
  @echo " sipl_signed               = $(sipl_signed)"
+ @echo " fit_signed               = $(fit_signed)"
  @echo "full_build                = $(full_build)"
  @echo "libc_dev_version          = $(libc_dev_version)"
  @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index 82e4d80e469f..f3279369c3a7 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -478,6 +478,20 @@ endif
  install -m644 $(abidir)/$*.compiler \
  $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
 
+ifeq ($(fit_signed),true)
+ install -d $(signingv)
+ cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+ $(signingv)/$(instfile)-$(abi_release)-$*;
+ # Build FIT image now that the modules folder exists
+ $(SHELL) $(DROOT)/scripts/build-fit \
+ $(CURDIR)/$(DEBIAN)/$(fit_its) \
+ "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
+ $(abi_release)-$(target_flavour) \
+ $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
+ $(signingv)
+ cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
+endif
+
 headers_tmp := $(CURDIR)/debian/tmp-headers
 headers_dir := $(CURDIR)/debian/linux-libc-dev
 
diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
new file mode 100755
index 000000000000..09292611e39d
--- /dev/null
+++ b/debian/scripts/build-fit
@@ -0,0 +1,40 @@
+#!/bin/sh -e
+# Creates a FIT image
+# $1: ITS file (FIT components description)
+# $2: list of space-separated dtb files
+# $3: kernel version
+# $4: kernel modules directory
+# $5: destination directory
+
+. debian/debian.env
+
+echo "Creating FIT image"
+fit_its="$1"
+dtb_files="$2"
+KERNEL_VERSION="$3"
+KERNEL_MODULES_D="$4"
+dest_d="$5"
+
+set -x
+fit_d=$dest_d
+mkdir -p "$fit_d"
+# Export variables to be used by hooks
+export KERNEL_VERSION
+export KERNEL_MODULES_D
+initrd_f=initrd.img
+mkinitramfs -o "$initrd_f"
+mv "$initrd_f" "$fit_d"
+
+mkdir -p "$fit_d"/dtbs/
+for dtb in $dtb_files; do
+    cp -f "$dtb" "$fit_d"/dtbs/
+done
+
+cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage
+cp -f "$fit_its" "$fit_d"
+
+cd "$fit_d"
+mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
+cd -
+
+rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[UNSTABLE][PATCH 2/2] UBUNTU: [Packaging] force creation of headers directory

Shrirang Bagul
In reply to this post by Shrirang Bagul
BugLink: https://bugs.launchpad.net/bugs/1847969

Due to a race condition, some times the headers directory already
exists when running the install-arch-headers rule. Make sure we do
not fail in that case.

Based on commit (in Bionic):
bb372cae8201: UBUNTU: [Packaging] force creation of headers directory

Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
Signed-off-by: Shrirang Bagul <[hidden email]>
---
 debian/rules.d/2-binary-arch.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index f3279369c3a7..bd86d7b71fad 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -522,7 +522,8 @@ endif
  find . -name '.' -o -name '.*' -prune -o -print | \
                 cpio -pvd --preserve-modification-time \
  $(headers_dir)/usr/include/ )
- mkdir $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)
+ mkdir -p $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)
+ rm -rf $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)/asm
  mv $(headers_dir)/usr/include/asm $(headers_dir)/usr/include/$(DEB_HOST_MULTIARCH)/
 
  rm -rf $(headers_tmp)
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [UNSTABLE][PATCH 1/2] UBUNTU: [Packaging] add rules to build FIT image

Seth Forshee
In reply to this post by Shrirang Bagul
On Wed, Oct 23, 2019 at 12:07:24PM +0800, Shrirang Bagul wrote:

> BugLink: https://bugs.launchpad.net/bugs/1847969
>
> Add a fit_signed option and a script so we can build FIT images that
> will be eventually signed.
>
> Based on commit (in Bionic):
> 44efa9e736 UBUNTU: [Packaging] add rules to build FIT image
>
> Signed-off-by: Alfonso Sánchez-Beato <[hidden email]>
> Signed-off-by: Shrirang Bagul <[hidden email]>
> ---
>  debian/rules                    |  2 +-
>  debian/rules.d/1-maintainer.mk  |  1 +
>  debian/rules.d/2-binary-arch.mk | 14 ++++++++++++
>  debian/scripts/build-fit        | 40 +++++++++++++++++++++++++++++++++
>  4 files changed, 56 insertions(+), 1 deletion(-)
>  create mode 100755 debian/scripts/build-fit
>
> diff --git a/debian/rules b/debian/rules
> index 8cb6604e18db..9281de598b03 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -49,7 +49,7 @@ ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
>  endif
>  
>  # Are any of the kernel signing options enabled.
> -any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed)))
> +any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed) $(sipl_signed) $(fit_signed)))
>  ifeq ($(any_signed),true)
>  bin_pkg_name=$(bin_pkg_name_unsigned)
>  else
> diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk
> index 6b4e0901c288..f20f537e1364 100644
> --- a/debian/rules.d/1-maintainer.mk
> +++ b/debian/rules.d/1-maintainer.mk
> @@ -94,6 +94,7 @@ printenv:
>   @echo " uefi_signed               = $(uefi_signed)"
>   @echo " opal_signed               = $(opal_signed)"
>   @echo " sipl_signed               = $(sipl_signed)"
> + @echo " fit_signed               = $(fit_signed)"
>   @echo "full_build                = $(full_build)"
>   @echo "libc_dev_version          = $(libc_dev_version)"
>   @echo "DEB_HOST_GNU_TYPE         = $(DEB_HOST_GNU_TYPE)"
> diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
> index 82e4d80e469f..f3279369c3a7 100644
> --- a/debian/rules.d/2-binary-arch.mk
> +++ b/debian/rules.d/2-binary-arch.mk
> @@ -478,6 +478,20 @@ endif
>   install -m644 $(abidir)/$*.compiler \
>   $(pkgdir_bldinfo)/usr/lib/linux/$(abi_release)-$*/compiler
>  
> +ifeq ($(fit_signed),true)
> + install -d $(signingv)
> + cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
> + $(signingv)/$(instfile)-$(abi_release)-$*;

It seems odd to me that you're putting both the vmlinuz and the fit
image into the signing tarball. Is there a reason for this other than
the fact that build-fit expects to find it there? If not, I think it
would be preferable to leave it out and pass the path to the vmlinuz to
build-fit.

> + # Build FIT image now that the modules folder exists
> + $(SHELL) $(DROOT)/scripts/build-fit \
> + $(CURDIR)/$(DEBIAN)/$(fit_its) \

I assume fit_its will be defined in an <arch>.mk file?

> + "$(foreach f, $(fit_dtb_files), $(builddir)/build-$*/$(f))" \
> + $(abi_release)-$(target_flavour) \
> + $(CURDIR)/$(DROOT)/linux-modules-$(abi_release)-$* \
> + $(signingv)
> + cp -p $(signingv)/fit-$(abi_release)-$*.fit $(pkgdir_bin)/boot/
> +endif
> +
>  headers_tmp := $(CURDIR)/debian/tmp-headers
>  headers_dir := $(CURDIR)/debian/linux-libc-dev
>  
> diff --git a/debian/scripts/build-fit b/debian/scripts/build-fit
> new file mode 100755
> index 000000000000..09292611e39d
> --- /dev/null
> +++ b/debian/scripts/build-fit
> @@ -0,0 +1,40 @@
> +#!/bin/sh -e
> +# Creates a FIT image
> +# $1: ITS file (FIT components description)
> +# $2: list of space-separated dtb files
> +# $3: kernel version
> +# $4: kernel modules directory
> +# $5: destination directory
> +
> +. debian/debian.env
> +
> +echo "Creating FIT image"
> +fit_its="$1"
> +dtb_files="$2"
> +KERNEL_VERSION="$3"
> +KERNEL_MODULES_D="$4"
> +dest_d="$5"
> +
> +set -x
> +fit_d=$dest_d
> +mkdir -p "$fit_d"
> +# Export variables to be used by hooks
> +export KERNEL_VERSION
> +export KERNEL_MODULES_D
> +initrd_f=initrd.img
> +mkinitramfs -o "$initrd_f"
> +mv "$initrd_f" "$fit_d"

Can we assume mkinitramfs will always be installed, or do we need to add
a build dependency? And why not just generate the initramfs at its final
location?

> +mkdir -p "$fit_d"/dtbs/
> +for dtb in $dtb_files; do
> +    cp -f "$dtb" "$fit_d"/dtbs/
> +done
> +
> +cp -f "$dest_d"/vmlinuz-* "$fit_d"/zImage

Note that there's an assumption here that the kernel image will be named
vmlinuz-*, whereas the name is actually based on the install_file
variable from the <arch>.mk file. If the path to the kernel image was
passed as an argument then it would be unnecessary.

Thanks,
Seth

> +cp -f "$fit_its" "$fit_d"
> +
> +cd "$fit_d"
> +mkimage -D "-I dts -O dtb -p 2000" -f "${fit_its##*/}" fit-"$KERNEL_VERSION".fit
> +cd -
> +
> +rm -rf "$fit_d"/"$initrd_f" "$fit_d"/dtbs/ "$fit_d"/zImage "$fit_d"/"${fit_its##*/}"
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team