debian/bin/gencontrol_signed.py: Add certificate fingerprints to template metadata
The signing service will check which certificates we trust, in order to avoid mistakenly creating a chain of trust to a test signing key.
This commit is contained in:
parent
f6cb5491d1
commit
5254e35d9d
|
@ -9,7 +9,7 @@ from debian_linux.debian import Changelog, PackageDescription, VersionLinux, \
|
|||
from debian_linux.gencontrol import Gencontrol as Base, merge_packages
|
||||
from debian_linux.utils import Templates, read_control
|
||||
|
||||
import os.path, re, codecs, io, json, subprocess, time
|
||||
import os.path, re, codecs, io, json, subprocess, time, ssl, hashlib
|
||||
|
||||
class Gencontrol(Base):
|
||||
def __init__(self, arch):
|
||||
|
@ -131,14 +131,28 @@ class Gencontrol(Base):
|
|||
|
||||
image_suffix = '%(abiname)s%(localversion)s' % vars
|
||||
image_package_name = 'linux-image-%s-unsigned' % image_suffix
|
||||
self.image_packages.append((image_suffix, image_package_name))
|
||||
|
||||
# Verify that this flavour is configured to support Secure Boot
|
||||
# Verify that this flavour is configured to support Secure Boot,
|
||||
# and get the trusted certificates filename.
|
||||
with open('debian/%s/boot/config-%s' %
|
||||
(image_package_name, image_suffix)) as f:
|
||||
kconfig = f.readlines()
|
||||
assert 'CONFIG_EFI_STUB=y\n' in kconfig
|
||||
assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
|
||||
cert_re = re.compile(r'CONFIG_SYSTEM_TRUSTED_KEYS="(.*)"$')
|
||||
cert_file_name = None
|
||||
for line in kconfig:
|
||||
match = cert_re.match(line)
|
||||
if match:
|
||||
cert_file_name = match.group(1)
|
||||
break
|
||||
assert cert_file_name
|
||||
if featureset != "none":
|
||||
cert_file_name = os.path.join('debian/build/source_%s' % featureset,
|
||||
cert_file_name)
|
||||
|
||||
self.image_packages.append((image_suffix, image_package_name,
|
||||
cert_file_name))
|
||||
|
||||
packages['source']['Build-Depends'].append(
|
||||
image_package_name +
|
||||
|
@ -207,9 +221,37 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
|
|||
def raise_func(e):
|
||||
raise e
|
||||
|
||||
# Some functions in openssl work with multiple concatenated
|
||||
# PEM-format certificates, but others do not.
|
||||
def get_certs(file_name):
|
||||
certs = []
|
||||
BEGIN, MIDDLE = 0, 1
|
||||
state = BEGIN
|
||||
with open(file_name) as f:
|
||||
for line in f:
|
||||
if line == '-----BEGIN CERTIFICATE-----\n':
|
||||
assert state == BEGIN
|
||||
certs.append([])
|
||||
state = MIDDLE
|
||||
elif line == '-----END CERTIFICATE-----\n':
|
||||
assert state == MIDDLE
|
||||
state = BEGIN
|
||||
else:
|
||||
assert line[0] != '-':
|
||||
assert state == MIDDLE
|
||||
certs[-1].append(line)
|
||||
assert state == BEGIN
|
||||
return [''.join(cert_lines) for cert_lines in certs]
|
||||
|
||||
def get_cert_fingerprint(cert, algo):
|
||||
hasher = hashlib.new(algo)
|
||||
hasher.update(ssl.PEM_cert_to_DER_cert(cert))
|
||||
return hasher.hexdigest()
|
||||
|
||||
all_files = {}
|
||||
|
||||
for image_suffix, image_package_name in self.image_packages:
|
||||
for image_suffix, image_package_name, cert_file_name in \
|
||||
self.image_packages:
|
||||
package_dir = 'debian/%s' % image_package_name
|
||||
package_files = []
|
||||
package_files.append({'sig_type': 'efi',
|
||||
|
@ -222,7 +264,13 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
|
|||
{'sig_type': 'linux-module',
|
||||
'file': '%s/%s' %
|
||||
(root[len(package_dir) + 1 :], name)})
|
||||
all_files[image_package_name] = {'files': package_files}
|
||||
package_certs = [get_cert_fingerprint(cert)
|
||||
for cert in get_certs(cert_file_name)]
|
||||
assert len(package_certs) >= 1
|
||||
all_files[image_package_name] = {
|
||||
'trusted_certs': package_certs,
|
||||
'files': package_files
|
||||
}
|
||||
|
||||
with codecs.open(self.template_top_dir + '/files.json', 'w') as f:
|
||||
json.dump(all_files, f)
|
||||
|
|
|
@ -18,6 +18,8 @@ linux (4.18~rc7-1~exp1) UNRELEASED; urgency=medium
|
|||
- Build with KBUILD_VERBOSE=1 by default
|
||||
- objtool, usbip: Build with V=1 by default
|
||||
* cpupower: Fix handling of noopt and nostrip build options
|
||||
* debian/bin/gencontrol_signed.py: Add certificate fingerprints to template
|
||||
metadata
|
||||
|
||||
-- Uwe Kleine-König <ukleinek@debian.org> Sat, 21 Jul 2018 16:52:01 +0200
|
||||
|
||||
|
|
Loading…
Reference in New Issue