to analyze kernel crashes. This package also contains the proxmox-kernel modules
in their unstripped version.
+Package: proxmox-kernel-@KVNAME@-signed-template
+Architecture: amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, make | build-essential | dpkg-dev
+Description: Template for signed kernel package
+ This package is used to control code signing by the Proxmox signing
+ service.
+
Package: proxmox-kernel-libc-dev
Section: devel
Priority: optional
PMX_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
PMX_HEADER_PKG=proxmox-headers-$(KVNAME)
PMX_USR_HEADER_PKG=proxmox-kernel-libc-dev
+PMX_KERNEL_SIGNING_TEMPLATE_PKG=proxmox-kernel-${KVNAME}-signed-template
+PMX_KERNEL_SIGNED_VERSION := $(shell echo ${DEB_VERSION} | sed -e 's/-/+/')
LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
chmod +x debian/$(PMX_HEADER_PKG).postinst
sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
+ # signing-template
+ sed -e '1 s/proxmox-kernel/proxmox-kernel-signed/' -e '1 s/${DEB_VERSION}/${PMX_KERNEL_SIGNED_VERSION}/' < debian/changelog > debian/signing-template/changelog
+ sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' -e 's/@UNSIGNED_VERSION@/${DEB_VERSION}/g' < debian/signing-template/control.in > debian/signing-template/control
+ sed -e 's/@KVNAME@/${KVNAME}/g' < debian/signing-template/files.json.in > debian/signing-template/files.json
+ sed -e 's/@KVNAME@/${KVNAME}/g' -e 's/@PKG_VERSION@/${DEB_VERSION}/' < debian/signing-template/rules.in > debian/signing-template/rules
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.prerm.in > debian/signing-template/prerm
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postrm.in > debian/signing-template/postrm
+ sed -e 's/@@KVNAME@@/${KVNAME}/g' < debian/proxmox-kernel.postinst.in > debian/signing-template/postinst
+ rm debian/signing-template/*.in
+ cp debian/SOURCE debian/signing-template/
+
build: .compile_mark .tools_compile_mark .modules_compile_mark
install: .install_mark .tools_install_mark .headers_install_mark .usr_headers_install_mark
cat watchdog-blacklist.tmp|sed -e 's/^/blacklist /' -e 's/.ko$$//'|sort -u > debian/$(PMX_KERNEL_PKG)/lib/modprobe.d/blacklist_$(PMX_KERNEL_PKG).conf
rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/source
rm -f debian/$(PMX_KERNEL_PKG)/lib/modules/$(KVNAME)/build
+
+ # copy signing template contents
+ rm -rf debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}
+ mkdir -p debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+ cp -R debian/copyright \
+ debian/signing-template/rules \
+ debian/signing-template/control \
+ debian/signing-template/source \
+ debian/signing-template/changelog \
+ debian/signing-template/prerm \
+ debian/signing-template/postrm \
+ debian/signing-template/postinst \
+ debian/signing-template/SOURCE \
+ debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/source-template/debian
+ cp debian/signing-template/files.json debian/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/usr/share/code-signing/${PMX_KERNEL_SIGNING_TEMPLATE_PKG}/
+
touch $@
.tools_compile_mark: .compile_mark
--- /dev/null
+Source: proxmox-kernel-signed-@KVMAJMIN@
+Section: kernel
+Priority: optional
+Maintainer: Proxmox Support Team <support@proxmox.com>
+Standards-Version: 4.2.0
+Build-Depends: debhelper-compat (= 12), dh-exec, python3:any, rsync, sbsigntool, proxmox-kernel-@KVNAME@ (= @UNSIGNED_VERSION@)
+Rules-Requires-Root: no
+Vcs-Git: git://git.proxmox.com/git/pve-kernel
+Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
+
+Package: proxmox-kernel-@KVNAME@-signed
+Section: admin
+Priority: optional
+Architecture: any
+Provides: linux-image-@KVNAME@-amd64, proxmox-kernel-@KVNAME@
+Depends: ${unsigned:Depends}, ${misc:Depends}
+Recommends: ${unsigned:Recommends}
+Suggests: ${unsigned:Suggests}
+Breaks: ${unsigned:Breaks}
+Conflicts: proxmox-kernel-@KVNAME@
+Replaces: proxmox-kernel-@KVNAME@
+Description: ${unsigned:DescriptionShort} (signed)
+ ${unsigned:DescriptionLong}
+ .
+ This package contains the kernel image signed by the Proxmox Secure Boot CA.
--- /dev/null
+{
+ "packages": {
+ "proxmox-kernel-@KVNAME@": {
+ "trusted_certs": [],
+ "files": [
+ {
+ "sig_type": "efi",
+ "file": "boot/vmlinuz-@KVNAME@"
+ }
+ ]
+ }
+ }
+}
--- /dev/null
+#!/usr/bin/make -f
+
+SHELL := bash -e
+
+export DH_OPTIONS
+
+include /usr/share/dpkg/architecture.mk
+
+KERNEL_VERSION=@KVNAME@
+IMAGE_PACKAGE_NAME=proxmox-kernel-$(KERNEL_VERSION)
+PACKAGE_NAME=$(IMAGE_PACKAGE_NAME)-signed
+PACKAGE_VERSION=@PKG_VERSION@
+PACKAGE_DIR=debian/$(PACKAGE_NAME)
+SIGNATURE_DIR=debian/signatures/${IMAGE_PACKAGE_NAME}
+
+build: build-arch build-indep
+build-arch:
+build-indep:
+
+clean:
+ dh_testdir
+ dh_clean
+
+binary: binary-arch binary-indep
+binary-arch:
+ dh_testdir
+ mkdir -p $(PACKAGE_DIR)/boot
+ rsync -a $(patsubst %,/boot/%-$(KERNEL_VERSION),config System.map vmlinuz) $(PACKAGE_DIR)/boot/
+ if [ -f $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig ]; then \
+ sbattach --attach $(SIGNATURE_DIR)/boot/vmlinuz-$(KERNEL_VERSION).sig \
+ $(PACKAGE_DIR)/boot/vmlinuz-$(KERNEL_VERSION); \
+ else \
+ echo "No signature for image 'vmlinuz-$(KERNEL_VERSION)' found in '$(SIGNATURE_DIR)'"; \
+ false; \
+ fi
+ mkdir -p $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)
+ rsync -ar /lib/modules/$(KERNEL_VERSION)/ $(PACKAGE_DIR)/lib/modules/$(KERNEL_VERSION)/
+ mkdir -p $(PACKAGE_DIR)/lib/modprobe.d/
+ cp /lib/modprobe.d/blacklist_$(IMAGE_PACKAGE_NAME).conf $(PACKAGE_DIR)/lib/modprobe.d/
+ dh_install
+ dh_installchangelogs
+ dh_installdocs -A debian/copyright debian/SOURCE
+ dh_lintian
+ dh_compress
+ dh_fixperms
+ dh_installdeb
+ # Copy most package relations and description from unsigned package
+ for field in Depends Suggests Recommends Breaks; do \
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:$$field=$$(dpkg-query -f '$${'$$field'}' -W $(IMAGE_PACKAGE_NAME))"; \
+ done
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionShort=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | head -n 1)"
+ echo >> debian/$(PACKAGE_NAME).substvars "unsigned:DescriptionLong=$$(dpkg-query -f '$${Description}' -W $(IMAGE_PACKAGE_NAME) | tail -n +2 | sed -rz 's/\$$/$${}/g; s/^ //; s/\n \.?/$${Newline}/g')"
+ dh_gencontrol -- -v$(PACKAGE_VERSION)
+ dh_md5sums
+ dh_builddeb
+binary-indep:
+
+.PHONY: build build-arch build-indep clean binary binary-arch binary-indep
--- /dev/null
+3.0 (native)