On Sun, 2016-05-29 at 13:38 +0100, Ben Hutchings wrote: [...] > So I think I have to abandon my current approach and instead do one of: > > 1. Attach module signatures at installation time, in a subdirectory. > Change kmod to prefer this subdirectory (this is purely a > configuration change). It would also be possible to check during > installation that signatures match the installed unsigned modules, > and if not then abort and leave any older signed modules in place. > > 2. Attach module signatures at package build time, making the > linux-image-signed packages provide/conflict/replace the > corresponding linux-image packages. For architectures with > signed modules, udebs would be built from linux-signed and not > from linux. [...] I'm now implementing the second approach above. In preparation for that, I moved most of the complexity of the linux- image maintainer scripts into two new commands in linux-base and rewrote them as shell scripts. This reduced the total size of the script templates from 711 to 67 (non-blank, non-comment) lines. I think they're now simple enough that duplicating them in linux-image- signed is acceptable. (Now that I think about it, we could duplicate the maintainer scripts at build time using 'dpkg-query --control-show'. Anyway, we now have much more readable scripts and the new commands could be used by packages generated by 'make deb-pkg' and make-kpkg in future.) Duplicating the contents of linux-image and attaching signatures at build time is simple and runs quickly. It's also necessary to duplicate the package relations and the description (with minor edits); this was actually the hard part of the changes to linux-signed because multiline values need to be escaped in substvars. I think there are three steps left:: 1. Move udeb generation for configurations with module signing enabled from linux to linux-signed. (This is in progress.) 2. (Optional) Remove the '-signed' suffix from signed packages and add a '-unsigned' suffix to unsigned linux-image packages built with module signing enabled. Adjust the Conflicts/Replaces/Provides fields accordingly. 3. Change the signing script to use an HSM. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part