From 5254e35d9d779070d2450e28060352572c8fc4dc Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 3 Aug 2018 15:34:34 +0800
Subject: [PATCH] debian/bin/gencontrol_signed.py: Add certificate fingerprints
 to template metadata

The signing service will check which certificates we trust, in order
to avoid mistakenly creating a chain of trust to a test signing key.
---
 debian/bin/gencontrol_signed.py | 58 ++++++++++++++++++++++++++++++---
 debian/changelog                |  2 ++
 2 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/debian/bin/gencontrol_signed.py b/debian/bin/gencontrol_signed.py
index ba5480053..5a142cfd5 100755
--- a/debian/bin/gencontrol_signed.py
+++ b/debian/bin/gencontrol_signed.py
@@ -9,7 +9,7 @@ from debian_linux.debian import Changelog, PackageDescription, VersionLinux, \
 from debian_linux.gencontrol import Gencontrol as Base, merge_packages
 from debian_linux.utils import Templates, read_control
 
-import os.path, re, codecs, io, json, subprocess, time
+import os.path, re, codecs, io, json, subprocess, time, ssl, hashlib
 
 class Gencontrol(Base):
     def __init__(self, arch):
@@ -131,14 +131,28 @@ class Gencontrol(Base):
 
         image_suffix = '%(abiname)s%(localversion)s' % vars
         image_package_name = 'linux-image-%s-unsigned' % image_suffix
-        self.image_packages.append((image_suffix, image_package_name))
 
-        # Verify that this flavour is configured to support Secure Boot
+        # Verify that this flavour is configured to support Secure Boot,
+        # and get the trusted certificates filename.
         with open('debian/%s/boot/config-%s' %
                   (image_package_name, image_suffix)) as f:
             kconfig = f.readlines()
         assert 'CONFIG_EFI_STUB=y\n' in kconfig
         assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
+        cert_re = re.compile(r'CONFIG_SYSTEM_TRUSTED_KEYS="(.*)"$')
+        cert_file_name = None
+        for line in kconfig:
+            match = cert_re.match(line)
+            if match:
+                cert_file_name = match.group(1)
+                break
+        assert cert_file_name
+        if featureset != "none":
+            cert_file_name = os.path.join('debian/build/source_%s' % featureset,
+                                          cert_file_name)
+
+        self.image_packages.append((image_suffix, image_package_name,
+                                    cert_file_name))
 
         packages['source']['Build-Depends'].append(
             image_package_name +
@@ -207,9 +221,37 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
         def raise_func(e):
             raise e
 
+        # Some functions in openssl work with multiple concatenated
+        # PEM-format certificates, but others do not.
+        def get_certs(file_name):
+            certs = []
+            BEGIN, MIDDLE = 0, 1
+            state = BEGIN
+            with open(file_name) as f:
+                for line in f:
+                    if line == '-----BEGIN CERTIFICATE-----\n':
+                        assert state == BEGIN
+                        certs.append([])
+                        state = MIDDLE
+                    elif line == '-----END CERTIFICATE-----\n':
+                        assert state == MIDDLE
+                        state = BEGIN
+                    else:
+                        assert line[0] != '-':
+                        assert state == MIDDLE
+                    certs[-1].append(line)
+            assert state == BEGIN
+            return [''.join(cert_lines) for cert_lines in certs]
+
+        def get_cert_fingerprint(cert, algo):
+            hasher = hashlib.new(algo)
+            hasher.update(ssl.PEM_cert_to_DER_cert(cert))
+            return hasher.hexdigest()
+
         all_files = {}
 
-        for image_suffix, image_package_name in self.image_packages:
+        for image_suffix, image_package_name, cert_file_name in \
+            self.image_packages:
             package_dir = 'debian/%s' % image_package_name
             package_files = []
             package_files.append({'sig_type': 'efi',
@@ -222,7 +264,13 @@ linux-signed-@arch@ (@signedsourceversion@) @distribution@; urgency=@urgency@
                             {'sig_type': 'linux-module',
                              'file': '%s/%s' %
                              (root[len(package_dir) + 1 :], name)})
-            all_files[image_package_name] = {'files': package_files}
+            package_certs = [get_cert_fingerprint(cert)
+                             for cert in get_certs(cert_file_name)]
+            assert len(package_certs) >= 1
+            all_files[image_package_name] = {
+                'trusted_certs': package_certs,
+                'files': package_files
+            }
 
         with codecs.open(self.template_top_dir + '/files.json', 'w') as f:
             json.dump(all_files, f)
diff --git a/debian/changelog b/debian/changelog
index f0a216e79..db4ce1aed 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,6 +18,8 @@ linux (4.18~rc7-1~exp1) UNRELEASED; urgency=medium
     - Build with KBUILD_VERBOSE=1 by default
     - objtool, usbip: Build with V=1 by default
   * cpupower: Fix handling of noopt and nostrip build options
+  * debian/bin/gencontrol_signed.py: Add certificate fingerprints to template
+    metadata
 
  -- Uwe Kleine-König <ukleinek@debian.org>  Sat, 21 Jul 2018 16:52:01 +0200