[RFC] linux-signed support for linux-generate

[Andy Whitcroft]

When kernel containing signed elements are copied into the archive they
are resigned at the destination.  This occurs for -proposed, -updates,
and -security independantly unless they are rejected by a vigilant
archive-admin.  If they are accepted for signing, as well as causing
multiple duplicate signings, they are also signed by the archive active
signing key.  As we rotate keys this leaves us at signicant risk of
signing those kernels with an inappropriate key; potentially rendering
that key compromised.

As part of the necessary embargoing of the linux-restricted-modules
(LRM) signing-tarballs we introduces a build/generate/signed model; a
three step process by which the build package (LRM in that case)
produces the signable objects, a generate package
(linux-restricted-generate [LRG]) converts those into a signing-tarball,
and finally a signing package (linux-restricted-signatures [LRS])
expresses the signed objects.  By pulling out the signing-tarball
handling to LRG we are able to elide that package in publication
(embargoing the .kos for LRM) and simultaneously avoiding all of the
preceeding risks.

Here we bring this same formular to the linux-signed package.  The main
linux package will continue to produce linux-image-unsigned packages;
but no longer produce the signing-tarball.  linux-generate will consume
those unsigned packages and upload the signing-tarball.  Finally
linux-signed will consume the signed kernels and package those as normal
in to linux-image packages.  In a similar fashion to LRG we will
eliminate linux-generate from the final publications.  To achieve this
we will introduce linux-generate as a direct-ancillary on the
linux-signed package eliminating the need for manual handling of any new
packages.

Following this email are 13 patches.  The first two represent some
simple cleanups and simplifications ready for conversion:

UBUNTU: [Packaging] generate-depends: relocate to debian/scripts
UBUNTU: [Packaging] generate-depends -- simplify unsigned to signed conversions

The next two introduce a debian/package.config similar to that used in
LRM, and switch to configuring the package from it:

UBUNTU: [Config] signing package.config
UBUNTU: [Packaging] generate: switch to generating debian/control based on debian/package.config

The next five patches generify the handling (this is based on an initial
kinetic base) to include di support for older series, HMAC support for
fips, and FIT support should that be required:

UBUNTU: [Packaging] generate: pull out configuration as a library for later use
UBUNTU: [Packaging] generate: add -di package support
UBUNTU: [Packaging] generate: only produce -di package configuration when present
UBUNTU: [Packaging] generate: add HMAC support
UBUNTU: [Packaging] generate: add FIT support

The next two introduce the actual linux-generic as a direct ancillary:

UBUNTU: [Packaging] generate: add linux-generate as a direct ancillary
UBUNTU: [Packaging] generate: switch to consuming signed artifacts from linux-generate

The next patch updates the update-version scripting to match semantics
with LRM, this makes it easier to drive this from an automated respin:

UBUNTU: [Packaging] generate: update-version -- update to latest version

Finally, the last patch introduces a version (and associated tracker) to
make automated updates simpler.

UBUNTU: signed-version 3.0

Proposing to apply this to kinetic initially and once settled, to
programatically apply this to all archive destined linux-signed packages
as listed in kernel-series as SIGNEDv3 under LP: #1989705[1]

-apw

[1] https://bugs.launchpad.net/bugs/1989705