linux-signed/0000755000000000000000000000000013466320303010352 5ustar linux-signed/debian/0000775000000000000000000000000013466322761011610 5ustar linux-signed/debian/compat0000664000000000000000000000000212233742155013000 0ustar 9 linux-signed/debian/copyright0000644000000000000000000000265713466320302013540 0ustar This package exists to take the signed version of the kernel binaries and insert them into packages. The source is as per the source for the main kernel package. This is the Ubuntu prepackaged version of the Linux kernel. Linux was written by Linus Torvalds and others. This package was put together by the Ubuntu Kernel Team, from sources retrieved from upstream linux git. The sources may be found at most Linux ftp sites, including ftp://ftp.kernel.org/pub/linux/kernel/ This package is currently maintained by the Ubuntu Kernel Team Linux is copyrighted by Linus Torvalds and others. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 2 dated June, 1991. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA On Ubuntu Linux systems, the complete text of the GNU General Public License v2 can be found in `/usr/share/common-licenses/GPL-2'. linux-signed/debian/source/0000775000000000000000000000000012752320552013101 5ustar linux-signed/debian/source/format0000664000000000000000000000001512233742155014311 0ustar 3.0 (native) linux-signed/debian/source/options0000664000000000000000000000007412752320552014520 0ustar # force "dpkg-source -I -i" behavior diff-ignore tar-ignore linux-signed/debian/changelog0000644000000000000000000001152213466320343013453 0ustar linux-signed-azure (4.15.0-1045.49~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1045.49~14.04.1 -- Stefan Bader Mon, 13 May 2019 18:52:51 +0200 linux-signed-azure (4.15.0-1044.48~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1044.48~14.04.1 -- Stefan Bader Tue, 07 May 2019 13:08:21 +0200 linux-signed-azure (4.15.0-1043.47~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1043.47~14.04.1 -- Marcelo Henrique Cerri Thu, 25 Apr 2019 08:55:19 -0300 linux-signed-azure (4.15.0-1042.46~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1042.46~14.04.1 -- Andrea Righi Fri, 05 Apr 2019 11:08:27 +0200 linux-signed-azure (4.15.0-1041.45~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1041.45~14.04.1 -- Khalid Elmously Sun, 17 Mar 2019 22:07:47 -0400 linux-signed-azure (4.15.0-1040.44~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1040.44~14.04.1 -- Stefan Bader Mon, 25 Feb 2019 16:13:43 +0100 linux-signed-azure (4.15.0-1040.42~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1040.42~14.04.2 -- Khalid Elmously Fri, 22 Feb 2019 03:37:11 -0500 linux-signed-azure (4.15.0-1039.41~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1039.41~14.04.2 -- Kamal Mostafa Fri, 15 Feb 2019 13:21:41 -0800 linux-signed-azure (4.15.0-1038.42~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1038.42~14.04.1 * Miscellaneous Ubuntu changes - [Packaging] download-signed -- fix downloader component and handle versions correctly -- Stefan Bader Tue, 12 Feb 2019 19:10:57 +0100 linux-signed-azure (4.15.0-1037.39~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1037.39~14.04.2 -- Khalid Elmously Thu, 17 Jan 2019 21:09:30 -0500 linux-signed-azure (4.15.0-1036.38~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1036.38~14.04.2 -- Marcelo Henrique Cerri Fri, 07 Dec 2018 01:45:30 -0200 linux-signed-azure (4.15.0-1035.36~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1035.36~14.04.2 -- Marcelo Henrique Cerri Fri, 30 Nov 2018 14:11:22 -0200 linux-signed-azure (4.15.0-1034.35~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1034.35~14.04.2 -- Marcelo Henrique Cerri Tue, 27 Nov 2018 15:09:52 -0200 linux-signed-azure (4.15.0-1033.34~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1033.34~14.04.2 -- Marcelo Henrique Cerri Thu, 15 Nov 2018 20:41:37 -0200 linux-signed-azure (4.15.0-1032.33~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1032.33~14.04.2 -- Marcelo Henrique Cerri Fri, 09 Nov 2018 21:32:24 -0200 linux-signed-azure (4.15.0-1032.33~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1032.33~14.04.1 -- Marcelo Henrique Cerri Fri, 09 Nov 2018 20:49:43 -0200 linux-signed-azure (4.15.0-1031.32~14.04.1+signed1) trusty; urgency=medium * Master version: 4.15.0-1031.32~14.04.1 -- Marcelo Henrique Cerri Thu, 01 Nov 2018 10:02:46 -0300 linux-signed-azure (4.15.0-1031.32~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1031.32~14.04.1 -- Marcelo Henrique Cerri Wed, 31 Oct 2018 17:26:30 -0300 linux-signed-azure (4.15.0-1030.31~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1030.31~14.04.1 -- Marcelo Henrique Cerri Tue, 30 Oct 2018 17:01:07 -0300 linux-signed-azure (4.15.0-1028.29~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1028.29~14.04.1 -- Marcelo Henrique Cerri Mon, 22 Oct 2018 15:28:45 -0300 linux-signed-azure (4.15.0-1023.24~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1023.24~14.04.1 -- Marcelo Henrique Cerri Wed, 29 Aug 2018 10:06:00 -0300 linux-signed-azure (4.15.0-1022.22~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1022.22~14.04.1 -- Marcelo Henrique Cerri Fri, 17 Aug 2018 18:31:35 -0300 linux-signed-azure (4.15.0-1013.13~14.04.2) trusty; urgency=medium * Master version: 4.15.0-1013.13~14.04.2 -- Marcelo Henrique Cerri Mon, 25 Jun 2018 10:21:55 -0300 linux-signed-azure (4.15.0-1013.13~14.04.1) trusty; urgency=medium * Master version: 4.15.0-1013.13~14.04.1 * Initial version. -- Marcelo Henrique Cerri Mon, 25 Jun 2018 10:03:47 -0300 linux-signed/debian/control0000664000000000000000000000166113466322772013221 0ustar Source: linux-signed-azure Section: kernel Priority: optional Maintainer: Canonical Kernel Team Build-Depends: debhelper (>= 9), lsb-release, python3, python3-apt, sbsigntool, linux-headers-4.15.0-1045-azure (>= 4.15.0-1045.49~14.04.1), Standards-Version: 3.9.4 Package: linux-image-4.15.0-1045-azure Architecture: amd64 Depends: ${unsigned:Depends} Recommends: ${unsigned:Recommends} Suggests: ${unsigned:Suggests} Conflicts: ${unsigned:Conflicts} Provides: ${unsigned:Provides} Built-Using: linux-azure (= 4.15.0-1045.49~14.04.1) Description: Signed kernel image azure A kernel image for azure. This version of it is signed with Canonical's UEFI/Opal signing key. Package: linux-image-4.15.0-1045-azure-dbgsym Section: devel Architecture: amd64 Depends: linux-image-unsigned-4.15.0-1045-azure-dbgsym Description: Signed kernel image azure A link to the debugging symbols for the azure signed kernel. linux-signed/debian/templates/0000755000000000000000000000000013451667612013605 5ustar linux-signed/debian/templates/image.postinst.in0000755000000000000000000000421213451667612017103 0ustar #!/bin/sh set -e version=@abiname@@localversion@ image_path=/boot/@image-stem@-$version # # When we install linux-image we have to run kernel postinst.d support to # generate the initramfs, create links etc. Should it have an associated # linux-image-extra package and we install that we also need to run kernel # postinst.d, to regenerate the initramfs. If we are installing both at the # same time, we necessarily trigger kernel postinst.d twice. As this includes # rebuilding the initramfs and reconfiguring the boot loader this is very time # consuming. # # Similarly for removal when we remove the linux-image-extra package we need to # run kernel postinst.d handling in order to pare down the initramfs to # linux-image contents only. When we remove the linux-image need to remove the # now redundant initramfs. If we are removing both at the same time, then # we will rebuilt the initramfs and then immediatly remove it. # # Switches to using a trigger against the linux-image package for all # postinst.d and postrm.d handling. On installation postinst.d gets triggered # twice once by linux-image and once by linux-image-extra. As triggers are # non-cumulative we will only run this processing once. When removing both # packages we will trigger postinst.d from linux-image-extra and then in # linux-image postrm.d we effectivly ignore the pending trigger and simply run # the postrm.d. This prevents us from rebuilding the initramfs. # if [ "$1" = triggered ]; then trigger=/usr/lib/linux/triggers/$version if [ -f "$trigger" ]; then sh "$trigger" rm -f "$trigger" fi exit 0 fi if [ "$1" != configure ]; then exit 0 fi depmod $version if [ -f /lib/modules/$version/.fresh-install ]; then change=install else change=upgrade fi linux-update-symlinks $change $version $image_path rm -f /lib/modules/$version/.fresh-install if [ -d /etc/kernel/postinst.d ]; then mkdir -p /usr/lib/linux/triggers cat - >/usr/lib/linux/triggers/$version </dev/null; then linux-update-symlinks remove $version $image_path fi if [ -d /etc/kernel/postrm.d ]; then # We cannot trigger ourselves as at the end of this we will no longer # exist and can no longer respond to the trigger. The trigger would # then become lost. Therefore we clear any pending trigger and apply # postrm directly. if [ -f /usr/lib/linux/triggers/$version ]; then echo "$0 ... removing pending trigger" rm -f /usr/lib/linux/triggers/$version rmdir --ignore-fail-on-non-empty /usr/lib/linux/triggers fi DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \ --arg=$image_path /etc/kernel/postrm.d fi if [ "$1" = purge ]; then for extra_file in modules.dep modules.isapnpmap modules.pcimap \ modules.usbmap modules.parportmap \ modules.generic_string modules.ieee1394map \ modules.ieee1394map modules.pnpbiosmap \ modules.alias modules.ccwmap modules.inputmap \ modules.symbols modules.ofmap \ modules.seriomap modules.\*.bin \ modules.softdep modules.devname; do eval rm -f /lib/modules/$version/$extra_file done rmdir /lib/modules/$version || true fi exit 0 linux-signed/debian/templates/image.preinst.in0000755000000000000000000000072113451667612016705 0ustar #!/bin/sh set -e version=@abiname@@localversion@ image_path=/boot/@image-stem@-$version if [ "$1" = abort-upgrade ]; then exit 0 fi if [ "$1" = install ]; then # Create a flag file for postinst mkdir -p /lib/modules/$version touch /lib/modules/$version/.fresh-install fi if [ -d /etc/kernel/preinst.d ]; then DEB_MAINT_PARAMS="$*" run-parts --report --exit-on-error --arg=$version \ --arg=$image_path /etc/kernel/preinst.d fi exit 0 linux-signed/debian/control.stub0000644000000000000000000000154313466320302014155 0ustar Source: linux-signed-azure Section: kernel Priority: optional Maintainer: Canonical Kernel Team Build-Depends: debhelper (>= 9), lsb-release, python3, python3-apt, sbsigntool, HEADERS (>= VERSION), Standards-Version: 3.9.4 Package: linux-image-ABI-azure Architecture: amd64 Depends: ${unsigned:Depends} Recommends: ${unsigned:Recommends} Suggests: ${unsigned:Suggests} Conflicts: ${unsigned:Conflicts} Provides: ${unsigned:Provides} Built-Using: linux-azure (= VERSION) Description: Signed kernel image azure A kernel image for azure. This version of it is signed with Canonical's UEFI/Opal signing key. Package: linux-image-ABI-azure-dbgsym Section: devel Architecture: amd64 Depends: linux-image-unsigned-ABI-azure-dbgsym Description: Signed kernel image azure A link to the debugging symbols for the azure signed kernel. linux-signed/debian/rules0000755000000000000000000000704413466320303012661 0ustar #! /usr/bin/make -f ##export DH_VERBOSE := 1 #VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) DEB_HOST_ARCH = $(shell dpkg-architecture -qDEB_HOST_ARCH) # Work out the source package name and version. We assume the source package # is the name of this package with -signed stripped. The version is identical # to this package less any rebuild suffic (+signedN). src_package := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Source: | cut -d ' ' -f 2 | sed -e 's/-signed//') src_fullversion = $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2) src_version = $(shell echo $(src_fullversion) | sed -e 's/+signed[0-9]*.*//') src_abi = $(shell echo "$(src_version)" | sed -ne 's/\([0-9]*\.[0-9]*\.[0-9]*\-[0-9]*\)\..*/\1/p') src_headers := linux-headers-$(src_abi)-azure # We build our control file. This has to be done before dh runs otherwise # we have no binary files and we will not run the appropriate targets. pre-clean: sed debian/control \ -e "s/HEADERS/$(src_headers)/g" \ -e "s/ABI/$(src_abi)/g" \ -e "s/VERSION/$(src_version)/g" rm -rf ./$(src_version) UNSIGNED SIGNED rm -f debian/linux-image-*.install \ debian/linux-image-*.preinst \ debian/linux-image-*.prerm \ debian/linux-image-*.postinst \ debian/linux-image-*.postrm rm -f debian/kernel-signed-image-*.install PHONY: pre-clean clean:: pre-clean %: dh $@ override_dh_auto_build: ./download-signed "$(src_headers)" "$(src_version)" "$(src_package)" #./download-unsigned "$(DEB_HOST_ARCH)" "$(src_version)" mkdir SIGNED ( \ cd "$(src_version)" || exit 1; \ for s in *.efi.signed; do \ [ ! -f "$$s" ] && continue; \ chmod 600 "$$s"; \ base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ ln "$$s" "../SIGNED/$$base"; \ done; \ for s in *.opal.sig; do \ [ ! -f "$$s" ] && continue; \ chmod 600 "$$s"; \ base=$$(echo "$$s" | sed -e 's/.opal.sig//'); \ cat "$$base.opal" "$$s" >"../SIGNED/$$base";\ done \ ) override_dh_auto_install: for signed in "SIGNED"/*; do \ flavour=$$(echo "$$signed" | sed -e "s@.*-$(src_abi)-@@"); \ instfile=$$(echo "$$signed" | sed -e "s@[^/]*/@@" \ -e "s@-$(src_abi)-.*@@"); \ verflav="$(src_abi)-$$flavour"; \ \ package="kernel-signed-image-$$verflav-di"; \ echo "$$package: adding $$signed"; \ echo "$$signed boot" >>"debian/$$package.install"; \ \ package="linux-image-$$verflav"; \ echo "$$package: adding $$signed"; \ echo "$$signed boot" >>"debian/$$package.install"; \ \ ./generate-depends linux-image-unsigned-$$verflav $(src_version) \ linux-image-$$verflav \ >>"debian/linux-image-$$verflav.substvars"; \ \ for which in postinst postrm preinst prerm; do \ template="debian/templates/image.$$which.in"; \ script="debian/$$package.$$which"; \ sed -e "s/@abiname@/$(src_abi)/g" \ -e "s/@localversion@/-$$flavour/g" \ -e "s/@image-stem@/$$instfile/g" \ <"$$template" >"$$script"; \ done; \ echo "interest linux-update-$(src_abi)-$$flavour" \ >"debian/$$package.triggers"; \ done dh_install override_dh_builddeb: dh_builddeb for pkg in $$(dh_listpackages); do \ case $$pkg in *dbgsym) ;; *) continue ;; esac; \ mv ../$${pkg}_$(src_fullversion)_$(DEB_HOST_ARCH).deb \ ../$${pkg}_$(src_fullversion)_$(DEB_HOST_ARCH).ddeb; \ sed -i "/^$${pkg}_/s/\.deb /.ddeb /" debian/files; \ done override_dh_fixperms: dh_fixperms -X/boot/ linux-signed/debian/scripts/0000755000000000000000000000000013451667612013276 5ustar linux-signed/debian/scripts/misc/0000755000000000000000000000000013466320303014216 5ustar linux-signed/debian/scripts/misc/git-ubuntu-log0000755000000000000000000000752113466320303017033 0ustar #!/usr/bin/python3 import os import sys import codecs import urllib.request import json import textwrap sys.stdin = codecs.getreader("utf-8")(sys.stdin.detach()) sys.stdout = codecs.getwriter("utf-8")(sys.stdout.detach()) entries = [] def add_entry(entry): if entry and 'ignore' not in entry: if 'bugs' not in entry and 'cves' in entry: for cve in entry['cves']: if cve not in bugs: bugs.append(cve) entries.append(entry) # Suck up the git log output and extract the information we need. bugs = [] entry = None subject_wait = False for line in sys.stdin: if line.startswith('commit '): add_entry(entry) entry = {} subject_wait = True elif line.startswith('Author: '): bits = line.strip().split(maxsplit=1) entry['author'] = bits[1] elif subject_wait and line.startswith(' '): subject_wait = False entry['subject'] = line.strip() elif line.startswith(' BugLink: ') and 'launchpad.net' in line: bits = line.strip().split(maxsplit=1) bits = bits[1].split('/') entry.setdefault('bugs', []).append(bits[-1]) # Accumulate bug numbers. if bits[-1] not in bugs: bugs.append(bits[-1]) elif line.startswith(' CVE-'): entry.setdefault('cves', []).append(line.strip()) elif line.startswith(' Ignore:'): entry['ignore'] = True add_entry(entry) entries.reverse() # Go through the entries and clear out authors for upstream commits. for entry in entries: if entry['subject'].startswith('UBUNTU:'): entry['subject'] = entry['subject'][7:].strip() else: del entry['author'] # Lump everything without a bug at the bottom. bugs.append('__packaging__') bugs.append('__mainline__') emit_nl = False for bug in bugs: if bug == '__packaging__': title = 'Miscellaneous Ubuntu changes' elif bug == '__mainline__': title = 'Miscellaneous upstream changes' elif bug.startswith('CVE-'): title = bug else: bug_info = None try: #urllib.request.urlcleanup() request = urllib.request.Request('https://api.launchpad.net/devel/bugs/' + bug) request.add_header('Cache-Control', 'max-age=0') with urllib.request.urlopen(request) as response: data = response.read() bug_info = json.loads(data.decode('utf-8')) title = bug_info['title'] if 'description' in bug_info: for line in bug_info['description'].split('\n'): if line.startswith('Kernel-Description:'): title = line.split(' ', 1)[1] except urllib.error.HTTPError: title = 'INVALID or PRIVATE BUG' title += ' (LP###' + bug + ')' emit_title = True for entry in entries: if (bug == '__packaging__' and 'bugs' not in entry and 'cves' not in entry and 'author' in entry) or \ (bug == '__mainline__' and 'bugs' not in entry and 'cves' not in entry and 'author' not in entry) or \ ('bugs' in entry and bug in entry['bugs']) or \ ('cves' in entry and bug in entry['cves']): if emit_title: if emit_nl: print('') emit_nl = True title_lines = textwrap.wrap(title, 76) print(' * ' + title_lines[0].replace('LP###', 'LP: #')) for line in title_lines[1:]: line = line.replace('LP###', 'LP: #') print(' ' + line) emit_title = False title_lines = textwrap.wrap(entry['subject'], 76) print(' - ' + title_lines[0]) for line in title_lines[1:]: line = line.replace('LP###', 'LP: #') print(' ' + line) linux-signed/download-unsigned0000755000000000000000000000070213451667612013733 0ustar #!/bin/bash arch="$1" version="$2" unsigned=$(awk ' /^Package: linux-image-/ { package=$2; next } /^Package:/ { package=""; next } /^Architecture:.* '"$arch"'( |$)/ { print package } ' " 1>&2 exit 1 fi master_dir="$1" # Work out the master kernel version. if [ -f "$master_dir/debian/debian.env" ]; then branch=`sed -ne 's/DEBIAN=//p' <"$master_dir/debian/debian.env"` changelog="-l$branch/changelog" else changelog="" fi master_version=`(cd "$master_dir" && LC_ALL=C dpkg-parsechangelog -S Version $changelog)` # Work out our current version taking into account closed sections. here_series=$( LC_ALL=C dpkg-parsechangelog -S Distribution ) if [ "$here_series" = "UNRELEASED" ]; then here_version=$( LC_ALL=C dpkg-parsechangelog -o 1 -S Version ) here_series=$( LC_ALL=C dpkg-parsechangelog -c 1 -S Distribution ) else here_version=$( LC_ALL=C dpkg-parsechangelog -S Version ) fi # Ensure we have the appropriate tag. here_tagversion=$( echo "$tag_prefix$here_version" | sed -e 's/~/_/g' ) count=$( git for-each-ref "refs/tags/$here_tagversion" | wc -l ) if [ "$count" != 1 ]; then echo "$0: $here_tagversion: tag not found" 1>&2 exit 1 fi #echo "here_version<$here_version>" #echo "master_version<$master_version>" # Work out a sensible new version based on the primary kernel version. if dpkg --compare-versions "$here_version" lt "$master_version"; then here_newversion="$master_version" elif dpkg --compare-versions "$here_version" eq "$master_version"; then here_newversion="$master_version+signed1" else signed=$(( ${here_version#*+signed} + 1 )) here_newversion="$master_version+signed$signed" fi # First insert any primary changes. marker="__CHANGELOG_FRAGMENT_MARKER__" dch --newversion "$here_newversion" "$marker" # Prepare the blank changelog. tmp="/tmp/$$.msg" # Note we are being synced to the master version. if dpkg --compare-versions "$here_version" lt "$master_version"; then echo "Updated to version: $master_version" [ -f "$tmp" ] && echo "" >>"$tmp" echo " * Master version: $master_version" >>"$tmp" fi # Format any existing commits. count=$( git log --oneline "$here_tagversion".. | wc -l ) if [ "$count" != 0 ]; then [ -f "$tmp" ] && echo "" >>"$tmp" git log "$here_tagversion".. | "debian/scripts/misc/git-ubuntu-log" >>"$tmp" fi # Insert official changelog fragment. sed -i -e '/^ \* '"$marker"'/{ r '"$tmp"' d }' debian/changelog rm -f "$tmp" # Close this changelog entry. dch --distribution "$here_series" --release '' # Emit final closing commands. echo "git commit -s -m 'UBUNTU: $tag_prefix$here_newversion' debian/changelog" here_tagversion=$( echo "$tag_prefix$here_newversion" | sed -e 's/~/_/g' ) echo "git tag -s -m '$tag_prefix$here_newversion' '$here_tagversion'" linux-signed/generate-depends0000755000000000000000000000033013451667612013521 0ustar #!/bin/bash from="$1" version="$2" to="$3" apt-cache show "$from=$version" | \ egrep '^(Depends|Suggests|Provides|Conflicts|Replaces|Recommends):' | \ sed -e 's/: /=/' -e 's/^/unsigned:/' -e "s/\\<$to\\>/$from/"