starlingx/kernel
Code Issues Proposed changes
kernel/kernel-std/debian/deb_patches/0004-kernel-std-Adapt-the-debian-folder-for-building-linu.patch
Li Zhou 92efe6f666 kernel-std: add initial version for debian packaging 
Add kernel 5.10.74 debian packaging.

The kernel we are building starts as source code from the Yocto Project
kernel found at
(https://git.yoctoproject.org/cgit/cgit.cgi/linux-yocto/about/?h=v5.10/standard/base).
To facilitate the creation of a Debian package of this kernel we start
by making a copy of the 5.10 Debian Bullseye 'debian' folder taken from
(http://snapshot.debian.org/package/linux/5.10.28-1/) and apply
customization via the meta-data patches in debian/deb_patches dir. In
this way we can review and incorporate changes the Debian community
makes to their kernel's 'debian' folder over time.

Since there are StarlingX specific patches to the kernel not suitable to
send for merging in linux-yocto we apply these here as defined in scope
and order in the contained debian/patches/series file.

Verification:
As we are only getting the Debian work bootstrapped there is quite a few
restrictions as far as what can be tested.

- I have compared it to the kernel 5.10.74 being used with stx centos:
  - the linux-yocto source code is same;
  - all the StarlingX specific patches are same;
  - the .config of Starlingx centos kernel 5.10.74 is taken to Starlingx
    debian, coexists and overrides the default debian kenrel configs,
    and only below changes are done for it:
    - remove some CONFIGs not set by Starlingx centos kernel code
      intentionally, such as CONFIG_CC_CAN_LINK;
    - remove some CONFIGs special for Starlingx centos kernel code such
      as: CONFIG_CC_VERSION_TEXT;
    - keep the CONFIGs related with signature aligned with debian
      release, because the security feature is still in development.
- 28 debs are built successfully. Build kernel image into rootfs and
  initramfs. Build the LAT ustart image from them.
- Use qemu to boot the ustart image, and the installer installs the
  rootfs successfully. The final debian system with this new kernel
  boot up successfully and run some simple commands successfully.

Story: 2009221
Task: 43290
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I2f98fcc3f929e3e006d30210d559913a10a77ac2
2021-11-23 02:20:43 -05:00

276 lines
12 KiB
Diff
Raw Blame History

From 73e38923ca6bad9469141c5fd0279dc4f5a7ef13 Mon Sep 17 00:00:00 2001
From: Li Zhou <li.zhou@windriver.com>
Date: Thu, 11 Nov 2021 17:24:01 +0800
Subject: [PATCH 4/4] kernel-std: Adapt the debian folder for building
linux-yocto source
Below are the changes on DEBIAN's kernel release's "debian" folder
for building linux-yocto kernel source 5.10.74, besides kernel configs
and the debian/changelog file:
-Remove the checking about CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT which
is only defined in DEBIAN patches;
-Update debian/config/amd64/none/defines to disable debian cloud image
building, which isn't in use here;
-Update debian/config/defines to disable rt/docs/installer packages'
building to make kernel-rt independent and avoid some building errors
caused by docs and installer, which aren't in use here;
-Update debian/lib/python/debian_linux/debian.py to remove an
unimportant format check for changelog because it conflicts with the
new building system;
-Update debian/patches/series to only keep the patches to support
package building system, which are from DEBIAN release.
-Update debian/rules to solve the issue that building paused after
gencontrol.
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
debian/bin/gencontrol_signed.py | 1 -
debian/config/amd64/none/defines | 7 --
debian/config/defines | 7 +-
debian/lib/python/debian_linux/debian.py | 23 +++--
debian/patches/series | 116 -----------------------
debian/rules | 9 +-
6 files changed, 18 insertions(+), 145 deletions(-)
diff --git a/debian/bin/gencontrol_signed.py b/debian/bin/gencontrol_signed.py
index 75d9112..b984cf3 100755
--- a/debian/bin/gencontrol_signed.py
+++ b/debian/bin/gencontrol_signed.py
@@ -188,7 +188,6 @@ class Gencontrol(Base):
(image_package_name, image_suffix)) as f:
kconfig = f.readlines()
assert 'CONFIG_EFI_STUB=y\n' in kconfig
- assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
cert_re = re.compile(r'CONFIG_SYSTEM_TRUSTED_KEYS="(.*)"$')
cert_file_name = None
for line in kconfig:
diff --git a/debian/config/amd64/none/defines b/debian/config/amd64/none/defines
index ada2355..090dc41 100644
--- a/debian/config/amd64/none/defines
+++ b/debian/config/amd64/none/defines
@@ -1,10 +1,3 @@
[base]
flavours:
amd64
- cloud-amd64
-default-flavour: amd64
-
-[cloud-amd64_image]
-configs:
- config.cloud
- amd64/config.cloud-amd64
diff --git a/debian/config/defines b/debian/config/defines
index 7133cd7..018a1b2 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -141,7 +141,6 @@ arches:
compiler: gcc-10
featuresets:
none
- rt
[build]
debug-info: true
@@ -149,7 +148,7 @@ debug-info: true
signed-code: false
[featureset-rt_base]
-enabled: true
+enabled: false
[description]
part-long-up: This kernel is not suitable for SMP (multi-processor,
@@ -167,3 +166,7 @@ gcc-10: gcc-10 <!stage1 !cross !pkg.linux.nokernel>, gcc-10-@gnu-type-package@ <
# initramfs-generators
initramfs-fallback: linux-initramfs-tool
initramfs-tools: initramfs-tools (>= 0.120+deb8u2)
+
+[packages]
+docs: false
+installer: false
diff --git a/debian/lib/python/debian_linux/debian.py b/debian/lib/python/debian_linux/debian.py
index 6fb2618..2e0fed9 100644
--- a/debian/lib/python/debian_linux/debian.py
+++ b/debian/lib/python/debian_linux/debian.py
@@ -85,18 +85,17 @@ class Changelog(list):
v = Version(top_match.group('version'))
else:
bottom_match = self._bottom_re.match(line)
- if not bottom_match:
- raise Exception('invalid bottom line %d in changelog' %
- line_no)
-
- self.append(self.Entry(
- distribution=top_match.group('distribution'),
- source=top_match.group('source'),
- version=v,
- urgency=top_match.group('urgency'),
- maintainer=bottom_match.group('maintainer'),
- date=bottom_match.group('date')))
- top_match = bottom_match = None
+ #Don't raise exception any more if this bottom format
+ #checking fail because we have adpated the changelog format.
+ if bottom_match:
+ self.append(self.Entry(
+ distribution=top_match.group('distribution'),
+ source=top_match.group('source'),
+ version=v,
+ urgency=top_match.group('urgency'),
+ maintainer=bottom_match.group('maintainer'),
+ date=bottom_match.group('date')))
+ top_match = bottom_match = None
class Version(object):
diff --git a/debian/patches/series b/debian/patches/series
index 56d1700..bdb60da 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,13 +1,3 @@
-debian/gitignore.patch
-
-# Disable features broken by exclusion of upstream files
-debian/dfsg/arch-powerpc-platforms-8xx-ucode-disable.patch
-debian/dfsg/drivers-media-dvb-dvb-usb-af9005-disable.patch
-debian/dfsg/vs6624-disable.patch
-debian/dfsg/drivers-net-appletalk-cops.patch
-debian/dfsg/video-remove-nvidiafb-and-rivafb.patch
-debian/dfsg/documentation-fix-broken-link-to-cipso-draft.patch
-
# Changes to support package build system
debian/version.patch
debian/uname-version-timestamp.patch
@@ -25,109 +15,3 @@ debian/android-enable-building-ashmem-and-binder-as-modules.patch
debian/documentation-drop-sphinx-version-check.patch
debian/perf-traceevent-support-asciidoctor-for-documentatio.patch
debian/kbuild-look-for-module.lds-under-arch-directory-too.patch
-
-# Fixes/improvements to firmware loading
-features/all/drivers-media-dvb-usb-af9005-request_firmware.patch
-debian/iwlwifi-do-not-request-unreleased-firmware.patch
-bugfix/all/firmware_class-log-every-success-and-failure.patch
-bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
-bugfix/all/radeon-amdgpu-firmware-is-required-for-drm-and-kms-on-r600-onward.patch
-debian/firmware_class-refer-to-debian-wiki-firmware-page.patch
-
-# Patches from aufs5 repository, imported with debian/bin/genpatch-aufs.
-# These are only the changes needed to allow aufs to be built out-of-tree.
-#features/all/aufs5/aufs5-base.patch
-#features/all/aufs5/aufs5-mmap.patch
-#features/all/aufs5/aufs5-standalone.patch
-
-# Change some defaults for security reasons
-debian/af_802154-Disable-auto-loading-as-mitigation-against.patch
-debian/rds-Disable-auto-loading-as-mitigation-against-local.patch
-debian/decnet-Disable-auto-loading-as-mitigation-against-lo.patch
-debian/dccp-disable-auto-loading-as-mitigation-against-local-exploits.patch
-debian/hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch
-debian/fs-enable-link-security-restrictions-by-default.patch
-
-# Set various features runtime-disabled by default
-debian/sched-autogroup-disabled.patch
-debian/yama-disable-by-default.patch
-debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
-features/all/security-perf-allow-further-restriction-of-perf_event_open.patch
-features/x86/intel-iommu-add-option-to-exclude-integrated-gpu-only.patch
-features/x86/intel-iommu-add-kconfig-option-to-exclude-igpu-by-default.patch
-
-# Disable autoloading/probing of various drivers by default
-debian/cdc_ncm-cdc_mbim-use-ncm-by-default.patch
-debian/snd-pcsp-disable-autoload.patch
-bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
-debian/fjes-disable-autoload.patch
-
-# Taint if dangerous features are used
-debian/fanotify-taint-on-use-of-fanotify_access_permissions.patch
-debian/btrfs-warn-about-raid5-6-being-experimental-at-mount.patch
-
-# Arch bug fixes
-bugfix/arm/arm-dts-kirkwood-fix-sata-pinmux-ing-for-ts419.patch
-bugfix/arm64/dts-rockchip-correct-voltage-selector-firefly-RK3399.patch
-bugfix/x86/perf-tools-fix-unwind-build-on-i386.patch
-bugfix/sh/sh-boot-do-not-use-hyphen-in-exported-variable-name.patch
-bugfix/arm/arm-mm-export-__sync_icache_dcache-for-xen-privcmd.patch
-bugfix/powerpc/powerpc-boot-fix-missing-crc32poly.h-when-building-with-kernel_xz.patch
-bugfix/arm64/arm64-acpi-Add-fixup-for-HPE-m400-quirks.patch
-bugfix/x86/x86-32-disable-3dnow-in-generic-config.patch
-
-# Arch features
-features/arm64/arm64-dts-rockchip-Add-basic-support-for-Kobol-s-Hel.patch
-features/x86/x86-memtest-WARN-if-bad-RAM-found.patch
-features/x86/x86-make-x32-syscall-support-conditional.patch
-
-# Miscellaneous bug fixes
-bugfix/all/disable-some-marvell-phys.patch
-bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
-bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
-debian/makefile-do-not-check-for-libelf-when-building-oot-module.patch
-bugfix/all/partially-revert-net-socket-implement-64-bit-timestamps.patch
-
-# Miscellaneous features
-
-# Lockdown missing pieces
-features/all/lockdown/efi-add-an-efi_secure_boot-flag-to-indicate-secure-b.patch
-features/all/lockdown/efi-lock-down-the-kernel-if-booted-in-secure-boot-mo.patch
-features/all/lockdown/mtd-disable-slram-and-phram-when-locked-down.patch
-features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
-
-# Improve integrity platform keyring for kernel modules verification
-features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch
-features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch
-features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch
-features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch
-features/all/db-mok-keyring/modsign-make-shash-allocation-failure-fatal.patch
-features/all/db-mok-keyring/KEYS-Make-use-of-platform-keyring-for-module-signature.patch
-
-# Security fixes
-debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-debian/ntfs-mark-it-as-broken.patch
-bugfix/x86/0001-bpf-x86-Validate-computation-of-branch-displacements.patch
-bugfix/x86/0002-bpf-x86-Validate-computation-of-branch-displacements.patch
-
-# Fix exported symbol versions
-bugfix/all/module-disable-matching-missing-version-crc.patch
-
-# Tools bug fixes
-bugfix/all/usbip-document-tcp-wrappers.patch
-bugfix/all/kbuild-fix-recordmcount-dependency.patch
-bugfix/all/tools-perf-man-date.patch
-bugfix/all/tools-perf-remove-shebangs.patch
-bugfix/x86/revert-perf-build-fix-libunwind-feature-detection-on.patch
-bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch
-bugfix/all/cpupower-bump-soname-version.patch
-bugfix/all/libcpupower-hide-private-function.patch
-bugfix/all/cpupower-fix-checks-for-cpu-existence.patch
-bugfix/all/tools-perf-pmu-events-fix-reproducibility.patch
-bugfix/all/bpftool-fix-version-string-in-recursive-builds.patch
-bugfix/all/tools-include-uapi-fix-errno.h.patch
-
-# overlay: allow mounting in user namespaces
-debian/overlayfs-permit-mounts-in-userns.patch
-
-# ABI maintenance
diff --git a/debian/rules b/debian/rules
index 3659e5b..db4fc10 100755
--- a/debian/rules
+++ b/debian/rules
@@ -113,12 +113,7 @@ debian/control-real: debian/bin/gencontrol.py $(CONTROL_FILES)
# Hash randomisation makes the pickled config unreproducible
PYTHONHASHSEED=0 $<
md5sum $^ > debian/control.md5sum
- @echo
- @echo This target is made to fail intentionally, to make sure
- @echo that it is NEVER run during the automated build. Please
- @echo ignore the following error, the debian/control file has
- @echo been generated SUCCESSFULLY.
- @echo
- exit 1
+ @echo The debian/control file has been generated SUCCESSFULLY.
+ @echo Go on with the building!
.PHONY: binary binary-% build build-% clean debian/control-real orig setup source
--
2.17.1
View Git Blame Copy Permalink