Skip to content

Commit 5ebf122

Browse files
committed
1 parent d4ac034 commit 5ebf122

File tree

3 files changed

+106
-0
lines changed

3 files changed

+106
-0
lines changed

default-package-config.sh

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,35 @@ function kernel_build() {
160160
#
161161
logmust fakeroot debian/rules printenv "${debian_rules_args[@]}"
162162

163+
#
164+
# Download SB keys and configure signing keys/certs before build
165+
#
166+
SB_KEYS_DIR="/var/tmp/sbkeys"
167+
logmust mkdir -p $SB_KEYS_DIR
168+
logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
169+
170+
FLAVOUR=$platform
171+
OBJ=debian/build/build-$FLAVOUR
172+
CERTS=$OBJ/certs
173+
174+
ensure the objdir + certs dir exist
175+
mkdir -p "$CERTS"
176+
177+
# provide the key the packaging expects INSIDE the objdir
178+
# (symlink or copy)
179+
logmust ln -sf "${SB_KEYS_DIR}/signing_key.pem" "$CERTS/signing_key.pem"
180+
logmust chmod 600 "$CERTS/signing_key.pem"
181+
182+
# create the DER .x509 that sign-file needs from .crt)
183+
logmust openssl x509 -in "${SB_KEYS_DIR}/db.crt" -outform DER -out "$CERTS/signing_key.x509"
184+
# sanity checks
185+
logmust test -s "$CERTS/signing_key.pem" || { echo "missing signing_key.pem"; exit 1; }
186+
logmust test -s "$CERTS/signing_key.x509" || { echo "missing signing_key.x509"; exit 1; }
187+
logmust openssl pkey -in "$CERTS/signing_key.pem" -noout >/dev/null || { echo "key unreadable"; exit 1; }
188+
189+
SBSIGN_KEY="${SBSIGN_KEY:-$SB_KEYS_DIR/db.key}"
190+
SBSIGN_CERT="${SBSIGN_CERT:-$SB_KEYS_DIR/db.crt}"
191+
163192
#
164193
# The default value of the tool argument for mk-build-deps
165194
# is the following:
@@ -203,6 +232,33 @@ function kernel_build() {
203232
# one of the .debs produced
204233
#
205234
logmust test -f "artifacts/linux-image-${kernel_version}_"*.deb
235+
236+
#
237+
# After the build, unpackage linux-image package and sign vmlinuz
238+
#
239+
linux_deb=$(find artifacts -type f -name "linux-image-${kernel_version}*.deb" | head -n1)
240+
temp_dir=$(mktemp -d -p "/var/tmp/")
241+
logmust fakeroot dpkg-deb -R $linux_deb "$temp_dir"
242+
243+
bz="$temp_dir/boot/vmlinuz-${kernel_version}"
244+
logmust sbsign --key $SBSIGN_KEY --cert $SBSIGN_CERT --output "$bz.signed" "$bz"
245+
logmust mv "$bz.signed" "$bz"
246+
logmust sbverify --list "$bz"
247+
248+
# Update md5sums
249+
( cd "$temp_dir"
250+
: > DEBIAN/md5sums
251+
# print paths relative to root of package
252+
while IFS= read -r -d '' f; do
253+
rel="${f#./}"
254+
md5sum "$rel" >> DEBIAN/md5sums
255+
done < <(find . -type f ! -path './DEBIAN/*' -print0)
256+
)
257+
258+
# Repack the .deb"
259+
out_deb="artifacts/linux-image.deb"
260+
logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
261+
logmust mv "$out_deb" "$linux_deb"
206262
}
207263

208264
#

packages/zfs/config.sh

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,53 @@ function build() {
174174
done
175175
logmust cd "$WORKDIR"
176176
logmust mv "all-packages/"*.deb "artifacts/"
177+
178+
# Sign ZFS modules in all packages
179+
sign_zfs_modules
180+
}
181+
182+
SB_KEYS_DIR="/var/tmp/sbkeys"
183+
SBSIGN_KEY="$SB_KEYS_DIR/db.key"
184+
SBSIGN_DER="$SB_KEYS_DIR/db.der"
185+
186+
#
187+
# Unpack zfs-modules packages in artifacts directory, sign, then repack
188+
#
189+
function sign_zfs_modules() {
190+
echo_bold "Signing ZFS modules"
191+
logmust mkdir -p $SB_KEYS_DIR
192+
logmust aws s3 cp --recursive s3://secure-boot-keys-prod/temp/db/ $SB_KEYS_DIR
193+
for zfs_package in $(find artifacts -type f -name "zfs-modules-*.deb" ! -name "*-dbg*"); do
194+
echo_bold "Processing $p"
195+
temp_dir=$(mktemp -d -p "/var/tmp/")
196+
logmust fakeroot dpkg-deb -R $zfs_package "$temp_dir"
197+
198+
zfs=$(find $temp_dir -type f -name zfs.ko)
199+
spl=$(find $temp_dir -type f -name spl.ko)
200+
201+
logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $zfs "$zfs.signed"
202+
logmust kmodsign sha256 $SBSIGN_KEY $SBSIGN_DER $spl "$spl.signed"
203+
logmust mv "$zfs.signed" "$zfs"
204+
logmust mv "$spl.signed" "$spl"
205+
logmust modinfo -F signer "$zfs"
206+
logmust modinfo -F signer "$spl"
207+
208+
# Update md5sums
209+
( cd "$temp_dir"
210+
: > DEBIAN/md5sums
211+
# print paths relative to root of package
212+
while IFS= read -r -d '' f; do
213+
rel="${f#./}"
214+
md5sum "$rel" >> DEBIAN/md5sums
215+
done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
216+
)
217+
218+
# Repack the .deb"
219+
out_deb="artifacts/zfs-modules.deb"
220+
logmust fakeroot dpkg-deb -b "$temp_dir" "$out_deb"
221+
logmust mv "$out_deb" "$zfs_package"
222+
223+
done
177224
}
178225

179226
function update_upstream() {

resources/delphix_kernel_annotations

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@
22
# FORMAT: 4
33
# ARCH: amd64
44
# FLAVOUR: amd64-aws amd64-azure amd64-generic amd64-gcp amd64-oracle
5+
#
6+
CONFIG_MODULE_SIG_KEY policy<{'amd64': '"/var/tmp/sbkeys/signing_key.pem"'}>
7+
CONFIG_MODULE_SIG_FORCE policy<{'amd64': 'y', 'arm64': 'y'}>
58

69
#
710
# Disable various "net" modules which we don't use.

0 commit comments

Comments
 (0)