Files
kernel/kernel-signed/kernel-rt-signed/debian/deb_patches
Li Zhou 4f3e32ce75 Debian: add init version for kernel-std/rt-signed
kernel-std-signed is used to create the signed kernel package
(linux-image-5.10.0-6-amd64) and 2 common packages
(linux-image-amd64 and linux-headers-amd64) without the abi version
in package name.

The process of building kernel-std-signed is as below
(following debian):

(1) Build kernel-std.
When we build kernel-std, linux-image-amd64-signed-template package
is created. It contains both a debian folder for building
kernel-std-signed later and the information of files which maybe need
signatures in the unsigned kernel package
linux-image-5.10.0-6-amd64-unsigned.

(2) Run script to sign kernel image file.
This script can be customized according to different requests.
e.g. I use the script debian-test-sign from debian
(https://salsa.debian.org/kernel-team/kernel-team/-/blob/master/
scripts/debian-test-sign) and adjust it according to our needs.
This script's input is the output files of building kernel-std:
linux_*_amd64.changes;
linux-image-amd64-signed-template_*_amd64.deb;
linux-image-5.10.0-6-amd64-unsigned_*_amd64.deb.
This script's output is 2 files put at kernel-std's output path
(/localdisk/loadbuild/*/stx/std/kernel-std):
linux-signed-amd64_*.dsc;
linux-signed-amd64_*.tar.xz.
The 2nd file contains a debian folder for building kernel-std-signed
and the signature for kernel image file.

(3) Build kernel-std-signed
Get the debian folder from linux-signed-amd64_*.tar.xz and build
3 pkgs:
linux-image-5.10.0-6-amd64;
linux-image-amd64;
linux-headers-amd64.
linux-image-5.10.0-6-amd64's difference with
linux-image-5.10.0-6-amd64-unsigned is that it contains kernel
image's signature.

Please pay attention to what has been changed vs. debian
in this process:

(1) Because we don't follow the debian secure boot process and follow
LAT(wrlinux) secure boot process, I need to adjust the script
debian-test-sign to do the signing and also need to adjust the debian
folder for building kernel-std-signed.
Their differences are:
LAT uses gpg and debian uses sbsign for signing kernel image;
LAT puts vmlinuz image at a different path from debian package.
Path of kernel image (vmlinuz-5.10.0-6-amd64) in signed kernel
package is /boot/, while LAT puts it at /boot/X/vmlinuz
("X" is variable and can be found in the BOOT_IMAGE setting
in /proc/cmdline).
Need to copy the kernel image and its sig file to the path that LAT uses
after installing signed kernel package (linux-image-5.10.0-6-amd64).
Extra lines are added in the pkg's postinst script for this.

(2) Another change is that we need not care about signing modules
here because we have signed them when building kernel-std and oot
kernel-modules.

kernel-rt-signed has a similar set of above things.

Test plan:
 - PASS: Build kernel-std and its oot kernel-modules;
         Run script to sign kernel image file;
         Build kernel-std-signed;
         Change code to install linux-image-5.10.0-6-amd64 instead
         of linux-image-5.10.0-6-amd64-unsigned and build image.
         Boot up qemu with secure boot enabled.
         Scp newer linux-image-5.10.0-6-amd64 pkg onto qemu and use
         dpkg to install it. Reboot successfully.
 - PASS: Do above tests for kernel-rt-signed too.

Story: 2009221
Task: 45167

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I3ddb99b238793204a6127c7746e14be0e8097c9a
2022-05-11 05:55:55 -04:00
..