Skip to content

Commit

Permalink
WIP: Stop using mkdebian, just have our own debian/ folder
Browse files Browse the repository at this point in the history 
Instead of dynamically generating the debian/ packaging information,
just keep our own. This will hopefully make future upgrades easier since
we'll just need to synchronize the d/rules file.

The envsubst does the job for now, but I would rather replace this with
jinja2 templating or Python string assembly.
  • Loading branch information
@legoktm
legoktm committed Mar 26, 2024
1 parent ec1c58b commit 5232176
Show file tree
Hide file tree
Showing 19 changed files with 1,445 additions and 629 deletions.
8 changes: 4 additions & 4 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,19 @@ RUN apt-get update && \
build-essential \
cpio \
curl \
debhelper \
fakeroot \
flex \
gcc-12-plugin-dev \
gettext-base \
git \
kmod \
libelf-dev \
liblz4-tool \
libssl-dev \
lsb-release \
ncurses-dev \
pigz \
python3 \
python3-requests \
rsync \
Expand All @@ -35,10 +38,7 @@ RUN groupadd -g ${GID} ${USERNAME} && useradd -m -d /home/${USERNAME} -g ${GID}

COPY build-kernel.sh /usr/local/bin/build-kernel.sh
COPY grsecurity-urls.py /usr/local/bin/grsecurity-urls.py
COPY scripts/ /scripts

COPY securedrop-grsec /securedrop-grsec
COPY securedrop-workstation-grsec /securedrop-workstation-grsec
COPY debian /debian

RUN mkdir -p -m 0755 /kernel /patches-grsec /output
RUN chown ${USERNAME}:${USERNAME} /kernel /patches-grsec /output
Expand Down
16 changes: 13 additions & 3 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,16 @@ vanilla: ## Builds latest stable kernel, unpatched
--return \
$(OUT)

.PHONY: tiny-6.6
tiny-6.6: OUT:=$(SCRIPT_OUTPUT_PREFIX)-tiny-6.6.$(SCRIPT_OUTPUT_EXT)
tiny-6.6: ## Builds latest stable kernel, unpatched
LINUX_MAJOR_VERSION="6.6" LOCALVERSION="tiny" \
LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/tinyconfig-6.6" \
script \
--command ./scripts/build-kernel-wrapper \
--return \
$(OUT)

.PHONY: grsec
grsec: OUT:=$(SCRIPT_OUTPUT_PREFIX)-grsec.$(SCRIPT_OUTPUT_EXT)
grsec: ## Builds grsecurity-patched kernel (requires credentials)
Expand All @@ -27,14 +37,14 @@ reprotest: ## Builds simple kernel multiple times to confirm reproducibility

.PHONY: reprotest-sd
reprotest-sd: ## DEBUG Builds SD kernel config without grsec in CI
GRSECURITY=0 LOCALVERSION="-securedrop" \
GRSECURITY=0 LOCALVERSION="securedrop" \
LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/config-securedrop-5.15" \
LINUX_LOCAL_PATCHES_PATH="$(PWD)/patches" \
./scripts/reproducibility-test

securedrop-core-5.15: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-core-5.15.$(SCRIPT_OUTPUT_EXT)
securedrop-core-5.15: ## Builds kernels for SecureDrop servers, 5.15.x
GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable6 LOCALVERSION="-securedrop" \
GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable6 LOCALVERSION="securedrop" \
LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/config-securedrop-5.15" \
LINUX_LOCAL_PATCHES_PATH="$(PWD)/patches" \
script \
Expand All @@ -44,7 +54,7 @@ securedrop-core-5.15: ## Builds kernels for SecureDrop servers, 5.15.x

securedrop-workstation-6.6: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-workstation-6.6.$(SCRIPT_OUTPUT_EXT)
securedrop-workstation-6.6: ## Builds kernels for SecureDrop Workstation, 6.6.x
GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable9 LOCALVERSION="-workstation" \
GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable9 LOCALVERSION="workstation" \
LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/config-workstation-6.6" \
script \
--command ./scripts/build-kernel-wrapper \
Expand Down
49 changes: 30 additions & 19 deletions build-kernel.sh
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,5 @@
#!/bin/bash
set -e
set -u
set -o pipefail
set -euxo pipefail


# Patching with grsecurity is disabled by default.
Expand All @@ -12,8 +10,12 @@ LINUX_MAJOR_VERSION="${LINUX_MAJOR_VERSION:-}"
LINUX_CUSTOM_CONFIG="${LINUX_CUSTOM_CONFIG:-/config}"
LOCALVERSION="${LOCALVERSION:-}"
export SOURCE_DATE_EPOCH
export SOURCE_DATE_EPOCH_FORMATTED=$(date -R -d @$SOURCE_DATE_EPOCH)
export KBUILD_BUILD_TIMESTAMP
export DEB_BUILD_TIMESTAMP
# Get the current Debian codename so we can vary based on version
eval "export $(cat /etc/os-release | grep CODENAME)"
export VERSION_CODENAME

if [[ $# > 0 ]]; then
x="$1"
Expand Down Expand Up @@ -48,6 +50,7 @@ if [[ -z "$LINUX_VERSION" ]]; then
exit 1
fi
# Get the latest patch version of this version series from kernel.org
echo "Looking up latest release of $LINUX_MAJOR_VERSION from kernel.org"
LINUX_VERSION="$(curl -s https://www.kernel.org/ | grep -m1 -F "$LINUX_MAJOR_VERSION" -A1 | head -n1 | grep -oP '[\d\.]+')"
fi

Expand All @@ -57,7 +60,7 @@ echo "Fetching Linux kernel source $LINUX_VERSION"
wget https://cdn.kernel.org/pub/linux/kernel/v${FOLDER}/linux-${LINUX_VERSION}.tar.{xz,sign}

echo "Extracting Linux kernel source $LINUX_VERSION"
xz -d -v linux-${LINUX_VERSION}.tar.xz
xz -d -T 0 -v linux-${LINUX_VERSION}.tar.xz
gpgv --keyring /pubkeys/kroah_hartman.gpg linux-${LINUX_VERSION}.tar.sign linux-${LINUX_VERSION}.tar
tar -xf linux-${LINUX_VERSION}.tar
cd linux-${LINUX_VERSION}
Expand All @@ -72,28 +75,36 @@ if [[ -e /patches-grsec && -n "$GRSECURITY" && "$GRSECURITY" = "1" ]]; then
find /patches-grsec -maxdepth 1 -type f -exec patch -p 1 -i {} \;
fi

echo "Copying in our mkdebian"
cp "/scripts/mkdebian-${LINUX_MAJOR_VERSION}" scripts/package/mkdebian
if [[ -f "/scripts/rules-${LINUX_MAJOR_VERSION}" ]]; then
echo "Copying in our debian/rules"
cp "/scripts/rules-${LINUX_MAJOR_VERSION}" scripts/package/debian/rules
fi
# Generate the orig tarball
#tar --use-compress-program="xz -T 0" -cf ../linux-upstream_${LINUX_VERSION}-grsec-${LOCALVERSION}.orig.tar.xz .
tar -cf - . | pigz > ../linux-upstream_${LINUX_VERSION}-grsec-${LOCALVERSION}.orig.tar.gz

echo "Copying in our debian/"
cp -R /debian debian

export PACKAGE_VERSION="${LINUX_VERSION}-grsec-${LOCALVERSION}-1"
export DEBARCH="amd64"

cat debian/control.in | envsubst > debian/control
echo "" >> debian/control
if [[ "$LOCALVERSION" = "-workstation" ]]; then
echo "Copying in our securedrop-workstation-grsec"
mkdir -p debian/securedrop-workstation-grsec
cp -Rv /securedrop-workstation-grsec/* debian/securedrop-workstation-grsec/
echo "Generating d/control for workstation"
cat debian/control.workstation | envsubst >> debian/control
else
echo "Copying in our securedrop-grsec"
mkdir -p debian/securedrop-grsec
cp -Rv /securedrop-grsec/* debian/securedrop-grsec/
echo "Generating d/control for server"
cat debian/control.server | envsubst >> debian/control
fi
cat debian/changelog.in | envsubst > debian/changelog

cat <<EOF > debian/rules.vars
ARCH := x86
KERNELRELEASE := ${LINUX_VERSION}
EOF

echo "Building Linux kernel source $LINUX_VERSION"
make olddefconfig

VCPUS="$(nproc)"
make EXTRAVERSION="-1" -j $VCPUS deb-pkg
# TODO set parallel build here
dpkg-buildpackage -uc -us

echo "Storing build artifacts for $LINUX_VERSION"
if [[ -d /output ]]; then
Expand Down
Loading

0 comments on commit 5232176

Please sign in to comment.