[SRU][Bionic/linux-aws][PATCH 2/2] UBUNTU: [Packaging] aws: decompress gzipped efi images in signing tarball

Ian May ian.may at canonical.com
Tue Jan 18 15:57:41 UTC 2022 

From: Seth Forshee <seth.forshee at canonical.com>

BugLink: https://bugs.launchpad.net/bugs/1951011

The arm64 generic kernel image files are gzipped. For UEFI secure
boot grub will validate the sigature on the decompressed image,
so the file in the signing tarbal must also be decompressed.

When this happens we want the kernel to be recompressed in the
linux-image package, but we don't currently have a way to let
linux-signed know that this should happen. Facilitate this by
adding a <efi-image>.vars file to the signing tarball which will
contain shell variables and can be sourced during linux-signed
build. Add "GZIP=1" to this file when decompressing the kernel
image to indicate that the kernel image should be gzipped after
signing.

(cherry picked from commit b9c83b4604990fc6250d4414e5e5cbe772a58537 disco)
Signed-off-by: Ian May <ian.may at canonical.com>
---
 debian/rules.d/2-binary-arch.mk | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index cb168fcbc89d..889581d54a53 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -146,8 +146,17 @@ endif
 
 ifeq ($(uefi_signed),true)
 	install -d $(signingv)
-	cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
-		$(signingv)/$(instfile)-$(abi_release)-$*.efi;
+	# gzipped kernel images must be decompressed for signing
+	if [[ "$(kernfile)" =~ \.gz$$ ]]; then \
+		< $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+			gunzip -cv > $(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+		cp -p --attributes-only $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+			$(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+		echo "GZIP=1" >> $(signingv)/$(instfile)-$(abi_release)-$*.efi.vars; \
+	else \
+		cp -p $(pkgdir_bin)/boot/$(instfile)-$(abi_release)-$* \
+			$(signingv)/$(instfile)-$(abi_release)-$*.efi; \
+	fi
 endif
 ifeq ($(opal_signed),true)
 	install -d $(signingv)
-- 
2.25.1

More information about the kernel-team mailing list