[PATCH 6/9] UBUNTU: [Packaging] linux-restricted-generate -- generate unsigned modules for signing

Stefan Bader stefan.bader at canonical.com
Tue Mar 9 09:29:22 UTC 2021 

On 08.03.21 16:00, Andy Whitcroft wrote:
> Consume the pre-built .o's as generated in linux-restricted-modules via
> the linux-objects-nvidia-* packages; assembling them as per the end-user
> system.  Form a signing custom binary upload from these and submit for
> signing.  Note that this must be embargoed as it represents fully formed
> module.
> 
> BugLink: https://bugs.launchpad.net/bugs/1918134
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
>   debian/rules.lrg                    |  31 +++++++
>   debian/scripts/dkms-build--nvidia-N |   1 +
>   debian/scripts/gen-rules            |   1 +
>   debian/scripts/gen-rules.lrg        | 138 ++++++++++++++++++++++++++++
>   4 files changed, 171 insertions(+)
>   create mode 100755 debian/rules.lrg
>   create mode 100755 debian/scripts/gen-rules.lrg
> 
> diff --git a/debian/rules.lrg b/debian/rules.lrg
> new file mode 100755
> index 0000000..e431275
> --- /dev/null
> +++ b/debian/rules.lrg
> @@ -0,0 +1,31 @@
> +##export DH_VERBOSE := 1
> +
> +arch = $(shell dpkg-architecture -qDEB_HOST_ARCH)
> +
> +test::
> +	echo "$(src_version) $(src_main_version)"
> +
> +debian/scripts/fix-filenames: debian/scripts/fix-filenames.c
> +	$(CC) -o $@ $^
> +
> +clean::
> +	rm -rf rm -rf $(dkms_dir)
> +	rm -f debian/scripts/fix-filenames
> +
> +%:
> +	dh $@
> +
> +custom_top=debian/custom
> +custom_dir=$(custom_top)/$(src_version)
> +custom_tar=$(src_package)_$(src_version)_$(arch).tar.gz
> +custom-upload:
> +	install -d $(custom_dir)/control
> +	{ echo "tarball"; echo "signed-only"; } >$(custom_dir)/control/options
> +	cd $(custom_top) && tar czvf ../../../$(custom_tar) .
> +	dpkg-distaddfile $(custom_tar) raw-signing -
> +
> +override_dh_prep: debian/scripts/fix-filenames
> +	dh_prep
> +
> +override_dh_auto_install: nvidia-$(arch) custom-upload
> +	dh_install
> diff --git a/debian/scripts/dkms-build--nvidia-N b/debian/scripts/dkms-build--nvidia-N
> index b79404b..d37082c 100755
> --- a/debian/scripts/dkms-build--nvidia-N
> +++ b/debian/scripts/dkms-build--nvidia-N
> @@ -77,6 +77,7 @@ sed -e 's/.*-o  *\([^ ]*\) .*/rm -f \1/g' <"$pkgdir/bits/BUILD" >"$pkgdir/bits/C
>   	if [ "$sign" = "--custom" ]; then
>   		# We are building for and archive custom signing upload.  Keep everything.
>   		:
> +

Does this serve any purpose?

>   	elif [ "$sign" = "--lrm" ]; then
>   		# We are in LRM build the package a copy in any signatures we can
>   		# find for them.  These will be added after linking.
> diff --git a/debian/scripts/gen-rules b/debian/scripts/gen-rules
> index ff91f48..8952f4b 100755
> --- a/debian/scripts/gen-rules
> +++ b/debian/scripts/gen-rules
> @@ -2,6 +2,7 @@
>   
>   src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
>   case "$src_package" in
> +linux-restricted-generate*)	pkg='lrg' ;;
>   linux-restricted-modules*)	pkg='lrm' ;;
>   esac
>   
> diff --git a/debian/scripts/gen-rules.lrg b/debian/scripts/gen-rules.lrg
> new file mode 100755
> index 0000000..1c13885
> --- /dev/null
> +++ b/debian/scripts/gen-rules.lrg
> @@ -0,0 +1,138 @@
> +#!/bin/bash
> +
> +# Pick out relevant version and package information including our predecessor
> +# packages: linux -> linux-restricted-modules-signatures -> linux-restricted-modules
> +src_package=$(LC_ALL=C dpkg-parsechangelog -SSource)
> +src_version=$(LC_ALL=C dpkg-parsechangelog -SVersion)
> +src_abi=$(echo "${src_version}" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p')
> +src_series=$(LC_ALL=C dpkg-parsechangelog -SDistribution | sed -e 's/-\(security\|updates\|proposed\)$//')
> +
> +# linux/5.8.0-41.46
> +src_main_package=$(echo "${src_package}" | sed -e 's/-restricted-generate//')
> +src_main_version=$(echo ${src_version} | sed -e 's/+[0-9][0-9\.]*$//')
> +
> +# linux-restricted-generate/5.8.0-41.46[+1]
> +
> +# linux-restricted-signatures/5.8.0-41.46[+1]
> +
> +# linux-restricted-modules/5.8.0-41.46[+1]
> +src_lrm_package=$(echo "${src_package}" | sed -e 's/-restricted-generate/-restricted-modules/')
> +src_lrm_version=${src_version}
> +
> +cat - "debian/rules.lrg" >"debian/rules.gen" <<EOL
> +#! /usr/bin/make -f
> +
> +src_package := ${src_package}
> +src_version = ${src_version}
> +src_abi = ${src_abi}
> +src_series = ${src_series}
> +src_lrm_package = ${src_lrm_package}
> +src_lrm_version = ${src_lrm_version}
> +
> +EOL
> +
> +: >"debian/control.interlock-up"
> +
> +nvidia_desktop=
> +nvidia_server=
> +nvidia_ignore=
> +while read command arg
> +do
> +	case "$command" in
> +	option)		;;
> +	suppress)		nvidia_ignore="$nvidia_ignore $arg"; continue ;;
> +	*)		continue ;;
> +	esac
> +
> +	case "$arg" in
> +	desktop)	nvidia_desktop=y ;;
> +	server)		nvidia_server=y ;;
> +	esac
> +done <"debian/package.config"
> +
> +build_archs=
> +while read command flavour archs
> +do
> +	case "$command" in
> +	build)		;;
> +	*)		continue ;;
> +	esac
> +
> +	for arch in $archs
> +	do
> +		case " $build_archs " in
> +		*\ $arch\ *)    ;;
> +		*)              build_archs="$build_archs $arch" ;;
> +		esac
> +	done
> +
> +	targets=$(echo "$archs" | sed -e 's/\</nvidia-/g')
> +
> +	while read package version extra
> +	do
> +		case "$package" in
> +		nvidia-graphics-drivers-*-server)
> +			[ -z "$nvidia_server" ] && continue
> +			;;
> +		nvidia-graphics-drivers-*)
> +			[ -z "$nvidia_desktop" ] && continue
> +			;;
> +		*) continue ;;
> +		esac
> +		case " $nvidia_ignore " in
> +		*\ $package\ *)		continue ;;
> +		esac
> +
> +		case " $extra " in
> +		*\ signonly\ *)		continue ;;
> +		esac
> +
> +		suffix_minus=$(echo "$package" | sed -e 's/nvidia-graphics-drivers-//')
> +		suffix_under=$(echo "$suffix_minus" | sed -e 's/-/_/g')
> +		suffix_short=$(echo "$suffix_minus" | sed -e 's/-server/srv/g')
> +
> +		echo "II: build $package for $flavour $archs"
> +
> +		cat - >>"debian/control.interlock-up" <<EOL
> + linux-objects-nvidia-${suffix_minus}-${src_abi}-${flavour} (>= ${src_lrm_version}) [${archs}],
> +EOL
> +
> +		# debian/rules.gen
> +		# XXX: BUILD should help us here.
> +		cat - >>"debian/rules.gen" <<EOL
> +
> +# $package $version $suffix_minus $suffix_under $suffix_short
> +$targets::
> +	install -d \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
> +	cp -rp /lib/modules/${src_abi}-${flavour}/kernel/nvidia-${suffix_short}/bits \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}
> +	(													\
> +		cd \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits || exit 1;	\
> +		sh BUILD unsigned;										\
> +		sha256sum -c SHA256SUMS || exit 1;								\
> +		mv *.ko ..;										\
> +	)
> +	rm -rf \$(custom_dir)/${src_abi}-${flavour}/signatures/nvidia-${suffix_short}/bits
> +EOL
> +
> +	done <"debian/dkms-versions"
> +done <"debian/package.config"
> +
> +{
> +	cat "debian/control.common" "-" <<EOL
> +
> +Package: ${src_package}
> +Architecture:${build_archs}
> +Section: kernel
> +Description: Build interlock package
> + Build interlock package.  You do not want to install this package.
> +EOL
> +} | sed \
> +	-e "/@BUILD-INTERLOCK@/{"		\
> +	-e " r debian/control.interlock-up"	\
> +	-e " d"					\
> +	-e " }"					\
> +	-e "s/@SRCPKGNAME@/${src_package}/g"	\
> +	-e "s/@ABI@/${src_abi}/g"		\
> +    >"debian/control"
> +
> +rm -f "debian/control.interlock-up"
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210309/4416c08a/attachment.sig>

More information about the kernel-team mailing list