debian/bin/gencontrol_signed.py: Add certificate fingerprints to template metadata
The signing service will check which certificates we trust, in order to avoid mistakenly creating a chain of trust to a test signing key.
This commit is contained in:
parent
f6cb5491d1
commit
5254e35d9d
|
@ -9,7 +9,7 @@ from debian_linux.debian import Changelog, PackageDescription, VersionLinux, \
|
||||||
from debian_linux.gencontrol import Gencontrol as Base, merge_packages
|
from debian_linux.gencontrol import Gencontrol as Base, merge_packages
|
||||||
from debian_linux.utils import Templates, read_control
|
from debian_linux.utils import Templates, read_control
|
||||||
|
|
||||||
import os.path, re, codecs, io, json, subprocess, time
|
import os.path, re, codecs, io, json, subprocess, time, ssl, hashlib
|
||||||
|
|
||||||
class Gencontrol(Base):
|
class Gencontrol(Base):
|
||||||
def __init__(self, arch):
|
def __init__(self, arch):
|
||||||
|
@ -131,14 +131,28 @@ class Gencontrol(Base):
|
||||||
|
|
||||||
image_suffix = '%(abiname)s%(localversion)s' % vars
|
image_suffix = '%(abiname)s%(localversion)s' % vars
|
||||||
image_package_name = 'linux-image-%s-unsigned' % image_suffix
|
image_package_name = 'linux-image-%s-unsigned' % image_suffix
|
||||||
self.image_packages.append((image_suffix, image_package_name))
|
|
||||||
|
|
||||||
# Verify that this flavour is configured to support Secure Boot
|
# Verify that this flavour is configured to support Secure Boot,
|
||||||
|
# and get the trusted certificates filename.
|
||||||
with open('debian/%s/boot/config-%s' %
|
with open('debian/%s/boot/config-%s' %
|
||||||
(image_package_name, image_suffix)) as f:
|
(image_package_name, image_suffix)) as f:
|
||||||
kconfig = f.readlines()
|
kconfig = f.readlines()
|
||||||
assert 'CONFIG_EFI_STUB=y\n' in kconfig
|
assert 'CONFIG_EFI_STUB=y\n' in kconfig
|
||||||
assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
|
assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
|
||||||
|
cert_re = re.compile(r'CONFIG_SYSTEM_TRUSTED_KEYS="(.*)"$')
|
||||||
|
cert_file_name = None
|
||||||
|
for line in kconfig:
|
||||||
|
match = cert_re.match(line)
|
||||||
|
if match:
|
||||||
|
cert_file_name = match.group(1)
|
||||||
|
break
|
||||||
|
assert cert_file_name
|
||||||
|
if featureset != "none":
|
||||||
|
cert_file_name = os.path.join('debian/build/source_%s' % featureset,
|
||||||
|
cert_file_name)
|
||||||
|
|
||||||
|
self.image_packages.append((image_suffix, image_package_name,
|
||||||
|
cert_file_name))
|
||||||
|
|
||||||
packages['source']['Build-Depends'].append(
|
packages['source']['Build-Depends'].append(
|
||||||
image_package_name +
|
image_package_name +
|
||||||
|
@ -207,9 +221,37 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
|
||||||
def raise_func(e):
|
def raise_func(e):
|
||||||
raise e
|
raise e
|
||||||
|
|
||||||
|
# Some functions in openssl work with multiple concatenated
|
||||||
|
# PEM-format certificates, but others do not.
|
||||||
|
def get_certs(file_name):
|
||||||
|
certs = []
|
||||||
|
BEGIN, MIDDLE = 0, 1
|
||||||
|
state = BEGIN
|
||||||
|
with open(file_name) as f:
|
||||||
|
for line in f:
|
||||||
|
if line == '-----BEGIN CERTIFICATE-----\n':
|
||||||
|
assert state == BEGIN
|
||||||
|
certs.append([])
|
||||||
|
state = MIDDLE
|
||||||
|
elif line == '-----END CERTIFICATE-----\n':
|
||||||
|
assert state == MIDDLE
|
||||||
|
state = BEGIN
|
||||||
|
else:
|
||||||
|
assert line[0] != '-':
|
||||||
|
assert state == MIDDLE
|
||||||
|
certs[-1].append(line)
|
||||||
|
assert state == BEGIN
|
||||||
|
return [''.join(cert_lines) for cert_lines in certs]
|
||||||
|
|
||||||
|
def get_cert_fingerprint(cert, algo):
|
||||||
|
hasher = hashlib.new(algo)
|
||||||
|
hasher.update(ssl.PEM_cert_to_DER_cert(cert))
|
||||||
|
return hasher.hexdigest()
|
||||||
|
|
||||||
all_files = {}
|
all_files = {}
|
||||||
|
|
||||||
for image_suffix, image_package_name in self.image_packages:
|
for image_suffix, image_package_name, cert_file_name in \
|
||||||
|
self.image_packages:
|
||||||
package_dir = 'debian/%s' % image_package_name
|
package_dir = 'debian/%s' % image_package_name
|
||||||
package_files = []
|
package_files = []
|
||||||
package_files.append({'sig_type': 'efi',
|
package_files.append({'sig_type': 'efi',
|
||||||
|
@ -222,7 +264,13 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
|
||||||
{'sig_type': 'linux-module',
|
{'sig_type': 'linux-module',
|
||||||
'file': '%s/%s' %
|
'file': '%s/%s' %
|
||||||
(root[len(package_dir) + 1 :], name)})
|
(root[len(package_dir) + 1 :], name)})
|
||||||
all_files[image_package_name] = {'files': package_files}
|
package_certs = [get_cert_fingerprint(cert)
|
||||||
|
for cert in get_certs(cert_file_name)]
|
||||||
|
assert len(package_certs) >= 1
|
||||||
|
all_files[image_package_name] = {
|
||||||
|
'trusted_certs': package_certs,
|
||||||
|
'files': package_files
|
||||||
|
}
|
||||||
|
|
||||||
with codecs.open(self.template_top_dir + '/files.json', 'w') as f:
|
with codecs.open(self.template_top_dir + '/files.json', 'w') as f:
|
||||||
json.dump(all_files, f)
|
json.dump(all_files, f)
|
||||||
|
|
|
@ -18,6 +18,8 @@ linux (4.18~rc7-1~exp1) UNRELEASED; urgency=medium
|
||||||
- Build with KBUILD_VERBOSE=1 by default
|
- Build with KBUILD_VERBOSE=1 by default
|
||||||
- objtool, usbip: Build with V=1 by default
|
- objtool, usbip: Build with V=1 by default
|
||||||
* cpupower: Fix handling of noopt and nostrip build options
|
* cpupower: Fix handling of noopt and nostrip build options
|
||||||
|
* debian/bin/gencontrol_signed.py: Add certificate fingerprints to template
|
||||||
|
metadata
|
||||||
|
|
||||||
-- Uwe Kleine-König <ukleinek@debian.org> Sat, 21 Jul 2018 16:52:01 +0200
|
-- Uwe Kleine-König <ukleinek@debian.org> Sat, 21 Jul 2018 16:52:01 +0200
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue