Bug#826959: linux-signed is not yet suitable for testing

To: "826959@bugs.debian.org" <826959@bugs.debian.org>
Cc: "ben@decadent.org.uk" <ben@decadent.org.uk>
Subject: Bug#826959: linux-signed is not yet suitable for testing
From: Luca Boccassi <lboccass@Brocade.com>
Date: Mon, 23 Jan 2017 14:12:29 +0000
Message-id: <[🔎] 1485180742.32307.54.camel@brocade.com>
Reply-to: Luca Boccassi <lboccass@Brocade.com>, 826959@bugs.debian.org
In-reply-to: <[🔎] 1485172924.32307.51.camel@gmail.com>
References: <146557414388.22845.8753753334649503352.reportbug@deadeye.wl.decadent.org.uk> <1472831650.25374.63.camel@decadent.org.uk> <[🔎] 1485172924.32307.51.camel@gmail.com>

On Mon, 23 Jan 2017 12:02:04 +0000 Luca Boccassi <luca.boccassi@gmail.com> wrote:
> On Fri, 02 Sep 2016 16:54:10 +0100 Ben Hutchings <ben@decadent.org.uk> wrote:
> > Control: severity -1 important
> > 
> > On Fri, 10 Jun 2016 16:55:43 +0100 Ben Hutchings <ben@decadent.org.uk>
> > wrote:
> > > Package: src:linux-signed
> > > Version: 1.1
> > > Severity: serious
> > >Ã‚ 
> > > Several changes are needed before it's ready for release:
> > >Ã‚ 
> > > 1. Building signed udebs
> > > 2. Removing the -signed suffix from signed image packages
> > 
> > These are now done as of version 2.2.
> > 
> > > 3. Signing with an HSM
> > 
> > This is not, and it really should be, but I think we can't treat this
> > as a blocker for testing propagation.
> > 
> > Ben.
> 
> Hello Ben,
> 
> I've done some minor changes to add flags to use pesign which supports
> hardware tokens via PKCS11. Inline patch for review.
> 
> Fortunately kbuild's sign-file already supports just passing a PKCS11
> URI, which makes it so much simpler. On the other hand as you most
> likely have found out already pesign needs an NSS DB and cert nicknames
> and tokens, and all in all it's a really awkward API to use, but that's
> what we have to work with I suppose.
> 
> What do you think?
> 
> Thanks!
> 
> Kind regards,
> Luca Boccassi

And as a followup, the build-time change to attach using pesign. The
build-dependency is generated based on rules.defs.

Thanks!

Kind regards,
Luca Boccassi

From 85f0fa32b76566139e69efa2511b782e1a3b8d3d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Mon, 23 Jan 2017 13:34:05 +0000
Subject: [PATCH] Add support for pesign to attach signatures at build-time

Generate the build-dependency according to the SIGNER variable in
rules.defs and use the right tool in debian/rules.real.
pesign does not support attaching signatures in-place so a copy of
the binary has to be taken and then removed.
---
 debian/bin/gencontrol.py           |  9 +++++++--
 debian/rules                       |  2 +-
 debian/rules.real                  | 11 +++++++++--
 debian/templates/control.source.in |  2 +-
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/debian/bin/gencontrol.py b/debian/bin/gencontrol.py
index 991a22d..cbbf2da 100755
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@@ -12,7 +12,7 @@ from debian_linux.utils import Templates, read_control
 import os.path, re, codecs, io, subprocess
 
 class Gencontrol(Base):
-    def __init__(self, config, image_version, signed_version_suffix):
+    def __init__(self, config, image_version, signed_version_suffix, signer=''):
         super(Gencontrol, self).__init__(ConfigCoreDump(fp = open(config, "rb")), Templates(["debian/templates"]))
 
         config_entry = self.config['version',]
@@ -21,6 +21,10 @@ class Gencontrol(Base):
         # Check current linux-support version
         assert self.version.complete == re.sub(r'\+b\d+$', r'', image_version)
 
+        if len(signer) == 0 or signer == 'sbsign':
+            self.signer_package = 'sbsigntool'
+        else:
+            self.signer_package = signer
         self.abiname = config_entry['abiname']
         self.binary_version = image_version + signed_version_suffix
         self.vars = {
@@ -31,6 +35,7 @@ class Gencontrol(Base):
             'imageversion': image_version,
             'imagesourceversion': self.version.complete,
             'binaryversion': self.binary_version,
+            'signer_package': self.signer_package,
         }
 
     def _substitute_file(self, template, vars, target, append=False):
@@ -141,4 +146,4 @@ class Gencontrol(Base):
                                   (vars['abiname'], vars['localversion'], name))
 
 if __name__ == '__main__':
-    Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2], sys.argv[3])()
+    Gencontrol(sys.argv[1] + "/config.defines.dump", sys.argv[2], sys.argv[3], sys.argv[4])()
diff --git a/debian/rules b/debian/rules
index dd4aa40..72fcd2b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -43,7 +43,7 @@ endif
 
 debian/control-real: $(GENCONTROL) $(CONTROL_FILES)
 	dpkg --compare-versions '$(KERNEL_IMAGE_VERSION)$(SIGNED_VERSION_SUFFIX)' lt '$(KERNEL_IMAGE_VERSION)+deb'
-	$(GENCONTROL) /usr/src/linux-support-$(KERNEL_ABINAME) $(KERNEL_IMAGE_VERSION) '$(SIGNED_VERSION_SUFFIX)'
+	$(GENCONTROL) /usr/src/linux-support-$(KERNEL_ABINAME) $(KERNEL_IMAGE_VERSION) '$(SIGNED_VERSION_SUFFIX)' "$(SIGNER)"
 	md5sum $^ > debian/control.md5sum
 	@echo
 	@echo This target is made to fail intentionally, to make sure
diff --git a/debian/rules.real b/debian/rules.real
index 8632121..98cbcb7 100644
--- a/debian/rules.real
+++ b/debian/rules.real
@@ -15,9 +15,16 @@ install-signed:
 	mkdir -p $(PACKAGE_DIR)/boot
 	rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map $(IMAGE_INSTALL_STEM)) \
 		$(PACKAGE_DIR)/boot/
+# pesign does not support in-place signature attaching
 	if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
-		sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
-			$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+		if [ "$(SIGNER)" = "pesign" ]; then \
+			mv $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION) $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned; \
+			pesign --import-signed-certificate $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig -i $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned -o $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+			rm -f $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).unsigned; \
+		else \
+			sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+				$(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+		fi; \
 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The kernel image and modules are signed for use with Secure Boot.'; \
 	else \
 		echo >> debian/$(PACKAGE_NAME).substvars 'signed:Description=The modules are signed.'; \
diff --git a/debian/templates/control.source.in b/debian/templates/control.source.in
index c52fbe7..16ece64 100644
--- a/debian/templates/control.source.in
+++ b/debian/templates/control.source.in
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
 Uploaders: Ben Hutchings <ben@decadent.org.uk>
 Standards-Version: 3.9.6
-Build-Depends: debhelper (>= 9.20151004~), rsync, sbsigntool [amd64 arm64 armhf i386], kernel-wedge (>= 2.93~), linux-kbuild-@version@
+Build-Depends: debhelper (>= 9.20151004~), rsync, @signer_package@ [amd64 arm64 armhf i386], kernel-wedge (>= 2.93~), linux-kbuild-@version@
 Vcs-Git: https://anonscm.debian.org/git/kernel/linux-signed.git
 Vcs-Browser: https://anonscm.debian.org/cgit/kernel/linux-signed.git
 Homepage: https://www.kernel.org/
-- 
2.1.4

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Ben Hutchings <ben@decadent.org.uk>

References:
- Bug#826959: linux-signed is not yet suitable for testing
  - From: Luca Boccassi <luca.boccassi@gmail.com>

Prev by Date: Bug#850339: initramfs-tools: Support Linux Integrity
Next by Date: Re: [PATCH v2 1/3] builddeb: Update a few outdated and hardcoded strings
Previous by thread: Bug#826959: linux-signed is not yet suitable for testing
Next by thread: Bug#826959: linux-signed is not yet suitable for testing
Index(es):
- Date
- Thread