On Mon, 23 Jan 2017 12:02:04 +0000 Luca Boccassi <luca.boccassi@gmail.com> wrote: > On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote: > > Control: severity -1 important > > > > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk> > > wrote: > > > Package: src:linux-signed > > > Version: 1.1 > > > Severity: serious > > >Ã > > > Several changes are needed before it's ready for release: > > >Ã > > > 1. Building signed udebs > > > 2. Removing the -signed suffix from signed image packages > > > > These are now done as of version 2.2. > > > > > 3. Signing with an HSM > > > > This is not, and it really should be, but I think we can't treat this > > as a blocker for testing propagation. > > > > Ben. > > Hello Ben, > > I've done some minor changes to add flags to use pesign which supports > hardware tokens via PKCS11. Inline patch for review. > > Fortunately kbuild's sign-file already supports just passing a PKCS11 > URI, which makes it so much simpler. On the other hand as you most > likely have found out already pesign needs an NSS DB and cert nicknames > and tokens, and all in all it's a really awkward API to use, but that's > what we have to work with I suppose. > > What do you think? > > Thanks! > > Kind regards, > Luca Boccassi And as a followup, the build-time change to attach using pesign. The build-dependency is generated based on rules.defs. Thanks! Kind regards, Luca Boccassi From 85f0fa32b76566139e69efa2511b782e1a3b8d3d Mon Sep 17 00:00:00 2001 From: Luca Boccassi <luca.boccassi@gmail.com> Date: Mon, 23 Jan 2017 13:34:05 +0000 Subject: [PATCH] Add support for pesign to attach signatures at build-time Generate the build-dependency according to the SIGNER variable in rules.defs and use the right tool in debian/rules.real. pesign does not support attaching signatures in-place so a copy of the binary has to be taken and then removed. --- debian/bin/gencontrol.py | 9 +++++++-- debian/rules | 2 +- debian/rules.real | 11 +++++++++-- debian/templates/control.source.in | 2 +- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py index 991a22d..cbbf2da 100755 --- a/debian/bin/gencontrol.py +++ b/debian/bin/gencontrol.py @@ -12,7 +12,7 @@ from debian_linux.utils import Templates, read_control import os.path, re, codecs, io, subprocess class Gencontrol(Base): - def __init__(self, config, image_version, signed_version_suffix): + def __init__(self, config, image_version, signed_version_suffix, signer=''): super(Gencontrol, self).__init__(ConfigCoreDump(fp = open(config, "rb")), Templates(["debian/templates"])) config_entry = self.config['version',] @@ -21,6 +21,10 @@ class Gencontrol(Base): # Check current linux-support version assert self.version.complete == re.sub(r'\+b\d+$', r'', image_version) + if len(signer) == 0 or signer == 'sbsign': + self.signer_package = 'sbsigntool' + else: + self.signer_package = signer self.abiname = config_entry['abiname'] self.binary_version = image_version + signed_version_suffix self.vars = { @@ -31,6 +35,7 @@ class Gencontrol(Base): 'imageversion': image_version, 'imagesourceversion': self.version.complete, 'binaryversion': self.binary_version, + 'signer_package': self.signer_package, } def _substitute_file(self, template, vars, target, append=False): @@ -141,4 +146,4 @@ class Gencontrol(Base): (vars['abiname'], vars['localversion'], name)) if __name__ == '__main__': - Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2], sys.argv[3])() + Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2], sys.argv[3], sys.argv[4])() diff --git a/debian/rules b/debian/rules index dd4aa40..72fcd2b 100755 --- a/debian/rules +++ b/debian/rules @@ -43,7 +43,7 @@ endif debian/control-real: $(GENCONTROL) $(CONTROL_FILES) dpkg --compare-versions '$(KERNEL_IMAGE_VERSION)$(SIGNED_VERSION_SUFFIX)' lt '$(KERNEL_IMAGE_VERSION)+deb' - $(GENCONTROL) /usr/src/linux-support-$(KERNEL_ABINAME) $(KERNEL_IMAGE_VERSION) '$(SIGNED_VERSION_SUFFIX)' + $(GENCONTROL) /usr/src/linux-support-$(KERNEL_ABINAME) $(KERNEL_IMAGE_VERSION) '$(SIGNED_VERSION_SUFFIX)' "$(SIGNER)" md5sum $^ > debian/control.md5sum @echo @echo This target is made to fail intentionally, to make sure diff --git a/debian/rules.real b/debian/rules.real index 8632121..98cbcb7 100644 --- a/debian/rules.real +++ b/debian/rules.real @@ -15,9 +15,16 @@ install-signed: mkdir -p $(PACKAGE_DIR)/boot rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \ $(PACKAGE_DIR)/boot/ +# pesign does not support in-place signature attaching if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \ - sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ - $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + if [ "$(SIGNER)" = "pesign" ]; then \ + mv $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION) $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned; \ + pesign --import-signed-certificate $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig -i $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned -o $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + rm -f $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned; \ + else \ + sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \ + $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \ + fi; \ echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \ else \ echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \ diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in index c52fbe7..16ece64 100644 --- a/debian/templates/control.source.in +++ b/debian/templates/control.source.in @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org> Uploaders: Ben Hutchings <ben@decadent.org.uk> Standards-Version: 3.9.6 -Build-Depends: debhelper (>= 9.20151004~), rsync, sbsigntool [amd64 arm64 armhf i386], kernel-wedge (>= 2.93~), linux-kbuild-@version@ +Build-Depends: debhelper (>= 9.20151004~), rsync, @signer_package@ [amd64 arm64 armhf i386], kernel-wedge (>= 2.93~), linux-kbuild-@version@ Vcs-Git: https://anonscm.debian.org/git/kernel/linux-signed.git Vcs-Browser: https://anonscm.debian.org/cgit/kernel/linux-signed.git Homepage: https://www.kernel.org/ -- 2.1.4
Attachment:
signature.asc
Description: This is a digitally signed message part