nemos-team team mailing list archive
-
nemos-team team
-
Mailing list archive
-
Message #00153
[Merge] ~itrue/nemos/+git/linux-signed:s32-eb-add-fit-image into ~nemos-team/nemos/+git/linux-signed:master
Isaac True has proposed merging ~itrue/nemos/+git/linux-signed:s32-eb-add-fit-image into ~nemos-team/nemos/+git/linux-signed:master.
Requested reviews:
Kuba Pawlak (kuba-t-pawlak)
For more details, see:
https://code.launchpad.net/~itrue/nemos/+git/linux-signed/+merge/454820
--
Your team NemOS Team is subscribed to branch ~nemos-team/nemos/+git/linux-signed:master.
diff --git a/debian/control.stub b/debian/control.stub
index 25d29cc..ba47c09 100644
--- a/debian/control.stub
+++ b/debian/control.stub
@@ -8,5 +8,8 @@ Build-Depends:
python3,
python3-apt,
sbsigntool,
+ nemos-dev-key [arm64],
+ u-boot-tools [arm64],
+ device-tree-compiler [arm64],
@DEPENDS@,
Standards-Version: 3.9.4
diff --git a/debian/rules b/debian/rules
index 61dd81c..c3e60b2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,8 +45,20 @@ clean:: pre-clean
override_dh_auto_build: SHELL=/bin/sh -x
override_dh_auto_build:
+ifeq ($(DEB_HOST_ARCH),arm64)
+ ./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)"
+
+ ln -s /usr/share/nemos/private.pem UNSIGNED/nemos-dev.key
+ for unsigned in "UNSIGNED/boot/vmlinuz-"*; do \
+ ln -sfr "$${unsigned}" UNSIGNED/vmlinuz; \
+ ln -sf "/lib/firmware/`basename "$${unsigned}" | sed 's/vmlinuz-//'`/device-tree" \
+ UNSIGNED/dtb; \
+ mkimage -f fit-image.its -k UNSIGNED -r \
+ `echo "$${unsigned}" | sed 's/vmlinuz/fitImage/'`; \
+ done
+endif
+
./download-signed "$(generate_src)" "$(ver)" "$(generate_src)"
- #./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)"
mkdir SIGNED
( \
signed="$(CURDIR)/SIGNED"; \
@@ -99,6 +111,27 @@ override_dh_auto_build:
)
override_dh_auto_install:
+ for unsigned in "UNSIGNED/boot/fitImage-"*; do \
+ flavour=$$(echo "$${unsigned}" | sed -e 's@.*-$(abi)-@@'); \
+ package=$$(basename "$${unsigned}" | sed 's/fitImage-/linux-image-fit-/'); \
+ instfile=$$(basename "$${unsigned}" | sed -e 's@-$(abi)-.*@@'); \
+ verflav="$(abi)-$${flavour}"; \
+ install -Dm0644 $${unsigned} -t debian/$${package}/boot; \
+ ./debian/scripts/generate-depends linux-image-unsigned-$$verflav $(unsigned_ver) \
+ | grep -v '^unsigned:Conflicts=' \
+ >> "debian/linux-image-fit-$$verflav.substvars"; \
+ \
+ for which in postinst postrm preinst prerm; do \
+ template="debian/templates/image.$${which}.in"; \
+ script="debian/$${package}.$${which}"; \
+ sed -e "s/@abiname@/$(abi)/g" \
+ -e "s/@localversion@/-$${flavour}/g" \
+ -e "s/@image-stem@/$${instfile}/g" \
+ < "$${template}" > "$${script}"; \
+ done; \
+ echo "interest linux-update-$(abi)-$${flavour}" \
+ >"debian/$$package.triggers"; \
+ done
for signed in "SIGNED"/*; do \
flavour=$$(echo "$$signed" | sed -e "s@.*-$(abi)-@@"); \
instfile=$$(echo "$$signed" | sed -e "s@[^/]*/@@" \
diff --git a/debian/scripts/generate-control b/debian/scripts/generate-control
index ef61cd7..15cf2d1 100755
--- a/debian/scripts/generate-control
+++ b/debian/scripts/generate-control
@@ -78,3 +78,20 @@ with open("debian/control.stub") as tfd, open("debian/control", "w") as cfd:
Description: Signed kernel image {flavour}
A link to the debugging symbols for the {flavour} signed kernel.
""").rstrip(), file=cfd)
+
+ for flavour, archs in signing.package_flavour_archs("image"):
+ print(dedent(f"""\
+
+ Package: linux-image-fit-{abi_version}-{flavour}
+ Architecture: arm64
+ Depends: ${{unsigned:Depends}}
+ Recommends: ${{unsigned:Recommends}}
+ Suggests: ${{unsigned:Suggests}}
+ Conflicts: ${{unsigned:Conflicts}}
+ Provides: ${{unsigned:Provides}}
+ Built-Using: {unsigned_name} (= {unsigned_version})
+ Description: Signed kernel FIT image {flavour}
+ A FIT image containing the kernel image for {flavour} and device
+ trees, signed by an insecure development key for demonstrative
+ purposes.
+ """).rstrip(), file=cfd)
diff --git a/download-unsigned b/download-unsigned
index 30832f7..9ec5b62 100755
--- a/download-unsigned
+++ b/download-unsigned
@@ -4,13 +4,13 @@ arch="$1"
version="$2"
unsigned=$(awk '
- /^Package: linux-image-/ { package=$2; next }
+ /^Package: linux-image-fit-/ { package=$2; next }
/^Package:/ { package=""; next }
/^Architecture:.* '"$arch"'( |$)/ { print package }
' <debian/control)
for package in $unsigned
do
- package=$(echo "$package" | sed -e 's/linux-image-/linux-image-unsigned-/')
+ package=$(echo "$package" | sed -e 's/linux-image-fit-/linux-image-unsigned-/')
echo "Downloading $package ..."
apt-get download "$package=$version"
dpkg -X "${package}_${version}_${arch}.deb" UNSIGNED
diff --git a/fit-image.its b/fit-image.its
new file mode 100644
index 0000000..bc437d8
--- /dev/null
+++ b/fit-image.its
@@ -0,0 +1,52 @@
+/dts-v1/;
+
+/ {
+ description = "Ubuntu kernel, ramdisk, FDT blob and boot config for a NXP S32x board";
+ #address-cells = <1>;
+
+ images {
+ kernel-1 {
+ description = "Ubuntu kernel";
+ data = /incbin/("UNSIGNED/vmlinuz");
+ type = "kernel";
+ arch = "arm64";
+ os = "linux";
+ compression = "none";
+ load = <0x80000000>;
+ entry = <0x80000000>;
+
+ hash-1 {
+ algo = "sha256";
+ };
+ };
+
+ fdt-s32g274a-rdb2 {
+ description = "Device tree for an NXP S32G274A-RDB2 board";
+ data = /incbin/("UNSIGNED/dtb/freescale/s32g274a-rdb2.dtb");
+ type = "flat_dt";
+ arch = "arm64";
+ compression = "none";
+ load = <0x83000000>;
+
+ hash-1 {
+ algo = "sha256";
+ };
+ };
+ };
+
+ configurations {
+ default = "nxp-s32g274a-rdb2";
+
+ nxp-s32g274a-rdb2 {
+ description = "Boot config for an NXP S32G274A-RDB2 board";
+ kernel = "kernel-1";
+ fdt = "fdt-s32g274a-rdb2";
+
+ signature-1 {
+ algo = "sha256,rsa2048";
+ key-name-hint = "nemos-dev";
+ sign-images = "fdt", "kernel";
+ };
+ };
+ };
+};
Follow ups
