[PATCH 6/9] UBUNTU: [Packaging] linux-restricted-generate -- generate unsigned modules for signing

Andy Whitcroft apw at canonical.com
Mon Mar 8 15:00:01 UTC 2021 

Consume the pre-built .o's as generated in linux-restricted-modules via
the linux-objects-nvidia-* packages; assembling them as per the end-user
system.  Form a signing custom binary upload from these and submit for
signing.  Note that this must be embargoed as it represents fully formed
module.

BugLink: https://bugs.launchpad.net/bugs/1918134
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 debian/rules.lrg                    |  31 +++++++
 debian/scripts/dkms-build--nvidia-N |   1 +
 debian/scripts/gen-rules            |   1 +
 debian/scripts/gen-rules.lrg        | 138 ++++++++++++++++++++++++++++
 4 files changed, 171 insertions(+)
 create mode 100755 debian/rules.lrg
 create mode 100755 debian/scripts/gen-rules.lrg

diff --git a/debian/rules.lrg b/debian/rules.lrg
new file mode 100755
index 0000000..e431275
--- /dev/null
+++ b/debian/rules.lrg
@@ -0,0 +1,31 @@
+##export DH_VERBOSE := 1
+
+arch = $(shell dpkg-architecture -qDEB_HOST_ARCH)
+
+test::
+	echo "$(src_version) $(src_main_version)"
+
+debian/scripts/fix-filenames: debian/scripts/fix-filenames.c
+	$(CC) -o $@ $^
+
+clean::
+	rm -rf rm -rf $(dkms_dir)
+	rm -f debian/scripts/fix-filenames
+
+%:
+	dh $@
+
+custom_top=debian/custom
+custom_dir=$(custom_top)/$(src_version)
+custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz
+custom-upload:
+	install -d $(custom_dir)/control
+	{ echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options
+	cd $(custom_top) && tar czvf ../../../$(custom_tar) .
+	dpkg-distaddfile $(custom_tar) raw-signing -
+
+override_dh_prep: debian/scripts/fix-filenames
+	dh_prep
+
+override_dh_auto_install: nvidia-$(arch) custom-upload
+	dh_install
diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N
index b79404b..d37082c 100755
--- a/debian/scripts/dkms-build--nvidia-N
+++ b/debian/scripts/dkms-build--nvidia-N
@@ -77,6 +77,7 @@ sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
 	if [ "$sign" = "--custom" ]; then
 		# We are building for and archive custom signing upload.  Keep everything.
 		:
+
 	elif [ "$sign" = "--lrm" ]; then
 		# We are in LRM build the package a copy in any signatures we can
 		# find for them.  These will be added after linking.
diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules
index ff91f48..8952f4b 100755
--- a/debian/scripts/gen-rules
+++ b/debian/scripts/gen-rules
@@ -2,6 +2,7 @@
 
 src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
 case "$src_package" in
+linux-restricted-generate*)	pkg='lrg' ;;
 linux-restricted-modules*)	pkg='lrm' ;;
 esac
 
diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg
new file mode 100755
index 0000000..1c13885
--- /dev/null
+++ b/debian/scripts/gen-rules.lrg
@@ -0,0 +1,138 @@
+#!/bin/bash
+
+# Pick out relevant version and package information including our predecessor
+# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules
+src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
+src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion)
+src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
+src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//')
+
+# linux/5.8.0-41.46
+src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//')
+src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//') 
+
+# linux-restricted-generate/5.8.0-41.46[+1]
+
+# linux-restricted-signatures/5.8.0-41.46[+1]
+
+# linux-restricted-modules/5.8.0-41.46[+1]
+src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/')
+src_lrm_version=${src_version}
+
+cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL
+#! /usr/bin/make -f
+
+src_package := ${src_package}
+src_version = ${src_version}
+src_abi = ${src_abi}
+src_series = ${src_series}
+src_lrm_package = ${src_lrm_package}
+src_lrm_version = ${src_lrm_version}
+
+EOL
+
+: >"debian/control.interlock-up"
+
+nvidia_desktop=
+nvidia_server=
+nvidia_ignore=
+while read command arg
+do
+	case "$command" in
+	option)		;;
+	suppress)		nvidia_ignore="$nvidia_ignore $arg"; continue ;;
+	*)		continue ;;
+	esac
+
+	case "$arg" in
+	desktop)	nvidia_desktop=y ;;
+	server)		nvidia_server=y ;;
+	esac
+done <"debian/package.config"
+
+build_archs=
+while read command flavour archs
+do
+	case "$command" in
+	build)		;;
+	*)		continue ;;
+	esac
+
+	for arch in $archs
+	do
+		case " $build_archs " in
+		*\ $arch\ *)    ;;
+		*)              build_archs="$build_archs $arch" ;;
+		esac
+	done
+
+	targets=$(echo "$archs" | sed -e 's/\</nvidia-/g')
+
+	while read package version extra
+	do
+		case "$package" in
+		nvidia-graphics-drivers-*-server)
+			[ -z "$nvidia_server" ] && continue
+			;;
+		nvidia-graphics-drivers-*)
+			[ -z "$nvidia_desktop" ] && continue
+			;;
+		*) continue ;;
+		esac
+		case " $nvidia_ignore " in
+		*\ $package\ *)		continue ;;
+		esac
+
+		case " $extra " in
+		*\ signonly\ *)		continue ;;
+		esac
+
+		suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//')
+		suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g')
+		suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g')
+
+		echo "II: build $package for $flavour $archs"
+
+		cat - >>"debian/control.interlock-up" <<EOL
+ linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}],
+EOL
+
+		# debian/rules.gen
+		# XXX: BUILD should help us here.
+		cat - >>"debian/rules.gen" <<EOL
+
+# $package $version $suffix_minus $suffix_under $suffix_short
+$targets::
+	install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
+	cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
+	(													\
+		cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1;	\
+		sh BUILD unsigned;										\
+		sha256sum -c SHA256SUMS || exit 1;								\
+		mv *.ko ..;										\
+	)
+	rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits
+EOL
+
+	done <"debian/dkms-versions"
+done <"debian/package.config"
+
+{
+	cat "debian/control.common" "-" <<EOL
+
+Package: ${src_package}
+Architecture:${build_archs}
+Section: kernel
+Description: Build interlock package
+ Build interlock package.  You do not want to install this package.
+EOL
+} | sed \
+	-e "/@BUILD-INTERLOCK@/{"		\
+	-e " r debian/control.interlock-up"	\
+	-e " d"					\
+	-e " }"					\
+	-e "s/@SRCPKGNAME@/${src_package}/g"	\
+	-e "s/@ABI@/${src_abi}/g"		\
+    >"debian/control"
+
+rm -f "debian/control.interlock-up"
-- 
2.29.2

More information about the kernel-team mailing list