debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

debian/bin/gencontrol_signed.py: Add certificate fingerprints to template metadata 

The signing service will check which certificates we trust, in order
to avoid mistakenly creating a chain of trust to a test signing key.
This commit is contained in:
Ben Hutchings 2018-08-03 15:34:34 +08:00
parent f6cb5491d1
commit 5254e35d9d
2 changed files with 55 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
debian/bin/gencontrol_signed.py vendored
View File

@ -9,7 +9,7 @@ from debian_linux.debian import Changelog, PackageDescription, VersionLinux, \
from debian_linux.gencontrol import Gencontrol as Base, merge_packages
from debian_linux.utils import Templates, read_control
import os.path, re, codecs, io, json, subprocess, time
import os.path, re, codecs, io, json, subprocess, time, ssl, hashlib
class Gencontrol(Base):
def __init__(self, arch):
@ -131,14 +131,28 @@ class Gencontrol(Base):
image_suffix = '%(abiname)s%(localversion)s' % vars
image_package_name = 'linux-image-%s-unsigned' % image_suffix
self.image_packages.append((image_suffix, image_package_name))
# Verify that this flavour is configured to support Secure Boot
# Verify that this flavour is configured to support Secure Boot,
# and get the trusted certificates filename.
with open('debian/%s/boot/config-%s' %
(image_package_name, image_suffix)) as f:
kconfig = f.readlines()
assert 'CONFIG_EFI_STUB=y\n' in kconfig
assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
cert_re = re.compile(r'CONFIG_SYSTEM_TRUSTED_KEYS="(.*)"$')
cert_file_name = None
for line in kconfig:
match = cert_re.match(line)
if match:
cert_file_name = match.group(1)
break
assert cert_file_name
if featureset != "none":
cert_file_name = os.path.join('debian/build/source_%s' % featureset,
cert_file_name)
self.image_packages.append((image_suffix, image_package_name,
cert_file_name))
packages['source']['Build-Depends'].append(
image_package_name +
@ -207,9 +221,37 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
def raise_func(e):
raise e
# Some functions in openssl work with multiple concatenated
# PEM-format certificates, but others do not.
def get_certs(file_name):
certs = []
BEGIN, MIDDLE = 0, 1
state = BEGIN
with open(file_name) as f:
for line in f:
if line == '-----BEGIN CERTIFICATE-----\n':
assert state == BEGIN
certs.append([])
state = MIDDLE
elif line == '-----END CERTIFICATE-----\n':
assert state == MIDDLE
state = BEGIN
else:
assert line[0] != '-':
assert state == MIDDLE
certs[-1].append(line)
assert state == BEGIN
return [''.join(cert_lines) for cert_lines in certs]
def get_cert_fingerprint(cert, algo):
hasher = hashlib.new(algo)
hasher.update(ssl.PEM_cert_to_DER_cert(cert))
return hasher.hexdigest()
all_files = {}
for image_suffix, image_package_name in self.image_packages:
for image_suffix, image_package_name, cert_file_name in \
self.image_packages:
package_dir = 'debian/%s' % image_package_name
package_files = []
package_files.append({'sig_type': 'efi',
@ -222,7 +264,13 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
{'sig_type': 'linux-module',
'file': '%s/%s' %
(root[len(package_dir) + 1 :], name)})
all_files[image_package_name] = {'files': package_files}
package_certs = [get_cert_fingerprint(cert)
for cert in get_certs(cert_file_name)]
assert len(package_certs) >= 1
all_files[image_package_name] = {
'trusted_certs': package_certs,
'files': package_files
}
with codecs.open(self.template_top_dir + '/files.json', 'w') as f:
json.dump(all_files, f)

2
debian/changelog vendored
View File

@ -18,6 +18,8 @@ linux (4.18~rc7-1~exp1) UNRELEASED; urgency=medium
- Build with KBUILD_VERBOSE=1 by default
- objtool, usbip: Build with V=1 by default
* cpupower: Fix handling of noopt and nostrip build options
* debian/bin/gencontrol_signed.py: Add certificate fingerprints to template
metadata
-- Uwe Kleine-König <ukleinek@debian.org> Sat, 21 Jul 2018 16:52:01 +0200