Merge branch 'develop' into dlpx/pr/prakashsurya/72edc04a-cee4-4103-94c5-49bc2694c167

Author: prakashsurya

default-package-config.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2018, 2020 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -160,6 +160,44 @@ function kernel_build() {
 	#
 	logmust fakeroot debian/rules printenv "${debian_rules_args[@]}"
 
+	#
+	# Configure signing keys/certs before build
+	#
+	# CONFIG_MODULE_SIG_KEY is set to /var/tmp/sbkeys/signing_key.pem in
+	# resources/delphix_kernel_annotations
+	#
+	FLAVOUR=$platform
+	OBJ=debian/build/build-$FLAVOUR
+	CERTS=$OBJ/certs
+
+	# ensure the objdir + certs dir exist
+	mkdir -p "$CERTS"
+	download_keys
+
+	# provide the key the packaging expects INSIDE the objdir
+	# (symlink or copy)
+	logmust ln -sf "${SB_KEYS_DIR}/signing_key.pem" "$CERTS/signing_key.pem"
+	logmust chmod 600 "$CERTS/signing_key.pem"
+
+	# create the DER .x509 that sign-file needs from .crt)
+	logmust openssl x509 -in "${SB_KEYS_DIR}/db.crt" -outform DER -out "$CERTS/signing_key.x509"
+
+	# sanity checks
+	logmust test -s "$CERTS/signing_key.pem" || {
+		echo "missing signing_key.pem"
+		exit 1
+	}
+	logmust test -s "$CERTS/signing_key.x509" || {
+		echo "missing signing_key.x509"
+		exit 1
+	}
+	logmust openssl pkey -in "$CERTS/signing_key.pem" -noout >/dev/null || {
+		echo "key unreadable"
+		exit 1
+	}
+	SBSIGN_KEY="${SBSIGN_KEY:-$SB_KEYS_DIR/db.key}"
+	SBSIGN_CERT="${SBSIGN_CERT:-$SB_KEYS_DIR/db.crt}"
+
 	#
 	# The default value of the tool argument for mk-build-deps
 	# is the following:
@@ -203,6 +241,23 @@ function kernel_build() {
 	# one of the .debs produced
 	#
 	logmust test -f "artifacts/linux-image-${kernel_version}_"*.deb
+
+	#
+	# After the build, unpackage linux-image package and sign vmlinuz
+	#
+	linux_deb=$(find artifacts -type f -name "linux-image-${kernel_version}*.deb" | head -n1)
+	temp_dir=$(mktemp -d -p "/var/tmp/")
+	logmust fakeroot dpkg-deb -R $linux_deb "$temp_dir"
+
+	bz="$temp_dir/boot/vmlinuz-${kernel_version}"
+	logmust sbsign --key $SBSIGN_KEY --cert $SBSIGN_CERT --output "$bz.signed" "$bz"
+	logmust mv "$bz.signed" "$bz"
+	logmust sbverify --list "$bz"
+
+	# Repack the .deb"
+	update_md5sums "$temp_dir"
+	repack_deb $linux_deb $temp_dir
+	delete_keys
 }
 
 #

lib/common.sh

@@ -1414,3 +1414,87 @@ function set_secret_build_args() {
 		_SECRET_BUILD_ARGS+=("-DSECRET_DB_AWS_REGION=$SECRET_DB_AWS_REGION")
 	fi
 }
+
+#
+# Secure boot variables and functions
+#
+# S3 bucket containing keys and certs
+# ./db subdirectory contains the db key and various certs:
+#   .der is for signing modules like ZFS and connstat
+#   .crt is for signing vmlinuz
+#   signing_key.pem is the format expected by kernel build for signing its modules
+#
+# ./pub contains the auth files, secure boot enrollment certs.
+#
+S3_KEYS_URL="s3://secure-boot-keys-prod/release"
+#
+# The kernel build expects the signing_key.pem in this directory, i.e.
+# CONFIG_MODULE_SIG_KEY is set to /var/tmp/sbkeys/signing_key.pem in
+# resources/delphix_kernel_annotations
+#
+SB_KEYS_DIR="/var/tmp/sbkeys"
+SBSIGN_KEY="$SB_KEYS_DIR/db.key"
+SBSIGN_DER="$SB_KEYS_DIR/db.der"
+
+function download_keys() {
+	logmust mkdir -p $SB_KEYS_DIR
+	logmust aws s3 cp --recursive "$S3_KEYS_URL/db/" $SB_KEYS_DIR
+}
+
+function delete_keys() {
+	logmust rm -r $SB_KEYS_DIR
+}
+
+# Update DEBIAN/md5sum for package directory after
+# some files were updated, i.e. secure-boot signed.
+#
+function update_md5sums() {
+	pkg_dir=$1
+	echo_bold "Updating md5sums for $pkg_dir"
+
+	(
+		cd "$pkg_dir" || exit
+		: >DEBIAN/md5sums
+		# print paths relative to root of package
+		while IFS= read -r -d '' f; do
+			rel="${f#./}"
+			md5sum "$rel" >>DEBIAN/md5sums
+		done < <(find . -type f ! -path './DEBIAN/*' ! -path './etc/depmod*' -print0)
+	)
+}
+
+function repack_deb() {
+	deb_name=$1
+	deb_dir=$2
+	temp_deb=$(mktemp /tmp/deb.XXXXXX)
+
+	logmust fakeroot dpkg-deb -b "$deb_dir" "$temp_deb"
+	logmust mv "$temp_deb" "$deb_name"
+}
+
+#
+# Sign .ko files in the module list
+#
+function sign_modules() {
+	deb_pkgs="$1"
+	echo_bold "Signing $deb_pkgs"
+	download_keys
+
+	while IFS= read -r pkg; do
+		echo_bold "Processing $pkg"
+		temp_dir=$(mktemp -d -p "/var/tmp/")
+		logmust fakeroot dpkg-deb -R "$pkg" "$temp_dir"
+
+		# Find and sign all .ko files in package
+		find "$temp_dir" -type f -name "*.ko" -print0 |
+			while IFS= read -r -d '' kernel_mod; do
+				logmust kmodsign sha256 "$SBSIGN_KEY" "$SBSIGN_DER" "$kernel_mod" "$kernel_mod.signed"
+				logmust mv "$kernel_mod.signed" "$kernel_mod"
+				logmust modinfo -F signer "$kernel_mod"
+			done
+		# Repack the .deb"
+		update_md5sums "$temp_dir"
+		repack_deb "$pkg" "$temp_dir"
+	done <<<"$deb_pkgs"
+	delete_keys
+}

packages/connstat/config.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2018, 2020 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -50,4 +50,8 @@ function build() {
 
 	logmust cd "$WORKDIR/repo"
 	logmust mv ./*deb "$WORKDIR/artifacts/"
+
+	# Sign the generated modules
+	connstat_pkgs=$(find "$WORKDIR/artifacts" -type f -name "connstat-module-*.deb" ! -name "*-dbg*")
+	sign_modules "$connstat_pkgs"
 }

packages/delphix-platform/config.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2018, 2020 Delphix
+# Copyright 2018, 2026 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -18,11 +18,14 @@
 
 DEFAULT_PACKAGE_GIT_URL="https://github.com/delphix/delphix-platform.git"
 
+function prepare() {
+	logmust cd "$WORKDIR/repo"
+	logmust sudo -E make build-deps
+}
+
 function build() {
 	logmust cd "$WORKDIR/repo"
-	logmust ansible-playbook bootstrap/playbook.yml
-	logmust ./scripts/docker-run.sh make packages \
-		VERSION="1.0.0-$PACKAGE_REVISION"
+	logmust sudo -E make packages VERSION="1.0.0-$PACKAGE_REVISION"
 	logmust sudo chown -R "$USER:" artifacts
-	logmust mv artifacts/*deb "$WORKDIR/artifacts/"
+	logmust sudo mv artifacts/*deb "$WORKDIR/artifacts/"
 }

packages/grub2/config.sh

@@ -17,29 +17,18 @@
 # shellcheck disable=SC2034
 
 DEFAULT_PACKAGE_GIT_URL="https://github.com/delphix/grub2"
+SKIP_COPYRIGHTS_CHECK=true
 
-UPSTREAM_GIT_URL=https://git.launchpad.net/ubuntu/+source/grub2
-UPSTREAM_GIT_BRANCH="applied/ubuntu/${UBUNTU_DISTRIBUTION}-updates"
+URI="s3://release-de-images/internal-artifacts/2025.3.0.1/1.0.53/input-artifacts/combined-packages/packages/grub2"
 
-SKIP_COPYRIGHTS_CHECK=true
+function fetch() {
+	logmust cd "$WORKDIR/artifacts"
 
-#
-# Install build dependencies for the package.
-#
-function prepare() {
-	logmust install_build_deps_from_control_file
+	logmust aws s3 sync "$URI" .
+	logmust sha256sum -c SHA256SUMS
 }
 
-#
-# Build the package.
-#
 function build() {
-	logmust dpkg_buildpackage_default
-}
-
-#
-# Hook to fetch upstream package changes and merge into our tree.
-#
-function update_upstream() {
-	logmust update_upstream_from_git
+	return
+	# Nothing to do, all the logic is done in fetch().
 }

packages/virtualization/config.sh

@@ -27,13 +27,14 @@ function prepare() {
 	logmust install_pkgs "${_RET_LIST[@]}"
 
 	logmust install_pkgs \
+		openjdk-17-jdk-headless \
 		"$DEPDIR"/crypt-blowfish/*.deb \
 		"$DEPDIR"/host-jdks/*.deb
 }
 
 function build() {
 	export JAVA_HOME
-	JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64/"
+	JAVA_HOME="/usr/lib/jvm/java-17-openjdk-amd64/"
 
 	export LANG
 	LANG=en_US.UTF-8

packages/windows-connector/config.sh

@@ -19,6 +19,11 @@
 DEFAULT_PACKAGE_GIT_URL="https://github.com/delphix/dlpx-app-gate.git"
 SKIP_COPYRIGHTS_CHECK=true
 
+function prepare() {
+	logmust install_pkgs \
+		openjdk-17-jdk-headless
+}
+
 function build() {
 	CONNECTOR_DIR="${WORKDIR}/repo/appliance/server/connector"
 	INSTALLER_DIR="${WORKDIR}/repo/appliance/host/windows"

packages/zfs/config.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2019, 2020 Delphix
+# Copyright 2019, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -174,6 +174,10 @@ function build() {
 	done
 	logmust cd "$WORKDIR"
 	logmust mv "all-packages/"*.deb "artifacts/"
+
+	# Sign ZFS modules in all packages
+	zfs_pkgs=$(find "$WORKDIR/artifacts" -type f -name "zfs-modules-*.deb" ! -name "*-dbg*")
+	sign_modules "$zfs_pkgs"
 }
 
 function update_upstream() {

resources/delphix_kernel_annotations

@@ -2,6 +2,9 @@
 # FORMAT: 4
 # ARCH: amd64
 # FLAVOUR: amd64-aws amd64-azure amd64-generic amd64-gcp amd64-oracle
+#
+CONFIG_MODULE_SIG_KEY  		policy<{'amd64': '"/var/tmp/sbkeys/signing_key.pem"'}>
+CONFIG_MODULE_SIG_FORCE 			policy<{'amd64': 'y', 'arm64': 'n'}>
 
 #
 # Disable various "net" modules which we don't use.
@@ -151,7 +154,6 @@ CONFIG_CDROM                                    policy<{'amd64': 'n', 'arm64': '
 CONFIG_CEPH_LIB                                 policy<{'amd64': 'n', 'arm64': 'n'}>
 CONFIG_CRAMFS                                   policy<{'amd64': 'n', 'arm64': 'n'}>
 CONFIG_CYCLADES                                 policy<{'amd64': 'n', 'arm64': 'n'}>
-CONFIG_DRM                                      policy<{'amd64': 'n', 'arm64': 'n'}>
 CONFIG_ENIC                                     policy<{'amd64': 'n', 'arm64': 'n'}>
 CONFIG_FM10K                                    policy<{'amd64': 'n', 'arm64': 'n'}>
 CONFIG_FORCEDETH                                policy<{'amd64': 'n', 'arm64': 'n'}>

setup.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2018, 2020 Delphix
+# Copyright 2018, 2025 Delphix
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -80,7 +80,7 @@ function configure_apt_sources() {
 		deb ${primary_url} ${UBUNTU_DISTRIBUTION}-backports main restricted universe multiverse
 		deb-src ${primary_url} ${UBUNTU_DISTRIBUTION}-backports main restricted universe multiverse
 
-		deb ${secondary_url} ${UBUNTU_DISTRIBUTION} main multiverse universe
+		deb ${secondary_url} ${UBUNTU_DISTRIBUTION} main multiverse universe stable
 		EOF" || die "/etc/apt/sources.list could not be updated"
 
 	logmust sudo apt-key add "$TOP/resources/delphix-secondary-mirror.key"