Comment 1 Philipp Hahn 2015-09-01 16:52:34 CEST

$ repo_admin.py -U -p linux -d sid -r 4.1-0-0 # 4.1.6-1

r15198 | linux/4.1-0-0-ucs/4.1.6-1/
r15199 | linux/4.1-0-0-ucs/4.1.6-1/
r15200 | linux/4.1-0-0-ucs/4.1.6-1/

$ build-package-ng -r 4.1-0-0 -P ucs -p linux --force-arch --no-pbuilder-update

Package: linux
Version: 4.1.6-1.142.201508311244
Branch: ucs_4.1-0

$ build-package-architecture-ng -r 4.1-0-0 -P ucs -p linux --no-pbuilder-update

r63389 | Bug #38873 kernel: Copyright 2015
r63388 | Bug #38873 kernel: modernize build
r63387 | Bug #38873 kernel: Copyright 2015

TODO: Breaks udev (< 208-8~)

Comment 2 Philipp Hahn 2015-09-02 12:33:08 CEST

(In reply to Philipp Hahn from comment #1)
> TODO: Breaks udev (< 208-8~)

This was added due to <https://bugs.debian.org/752742> and <https://bugs.debian.org/756312> (CONFIG_UEVENT_HELPER=n)

r15229 | Re-enable CONFIG_UEVENT_HELPER=y

Comment 3 Philipp Hahn 2015-09-03 10:22:57 CEST

Package: linux
Version: 4.1.6-1.143.201509021231
Branch: ucs_4.1-0


omar is using a too old apt-ftparchive: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774893>. Patch at <https://lists.debian.org/deity/2015/01/msg00015.html>

Worked around by hand:
 cd /var/univention/buildsystem2/apt/ucs_4.1-0
 sed -i.bak -re '/-4\.1\.0-ucs[0-9]+-([0-9]86|amd64)/n;/-4\.1\.0-ucs[0-9]+-.*deb /d' source/linux_4.1.6-1.143.201509021231.dsc
 set -i.bak -re '
s!^ [0-9a-f]{40} [0-9]+ (linux_[0-9.-]+.dsc)!echo " `sha1sum source/\1|cut -d\\  -f1` `stat -c %s source/\1` \1"!e
s!^ [0-9a-f]{64} [0-9]+ (linux_[0-9.-]+.dsc)!echo " `sha256sum source/\1|cut -d\\  -f1` `stat -c %s source/\1` \1"!e
s!^ [0-9a-f]{32} [0-9]+ (\w+) (\w+) (linux_[0-9.-]+.dsc)!echo " `md5sum source/\3|cut -d\\  -f1` `stat -c %s source/\3` \1 \2 \3"!e
 ' source/linux_4.1.6-1.143.201509021231_i386.changes
 repo-apt-ftparchive --release ucs_4.1-0

OK: amd64 @ kvm
OK: i386 @ kvm
OK: amd64 @ xen12
OK: pgrep -l udevd

r63421 | Bug #38873: linux-4.1.6 signed
r63420 | Bug #38873: linux-4.1.6

Package: univention-kernel-image
Version: 9.0.0-1.78.201509031018
Branch: ucs_4.1-0

r63422 | Bug #38873 doc: linux-4.1.6
 changelog-4.1-0.xml

TODO: sign kernel for Secure Boot, add to univention-kernel-image-signed, build, ...

Comment 4 Philipp Hahn 2015-09-18 18:32:05 CEST

Running "signtool.exe sign /v /debug /fd SHA256 vmlinuz-4.1.0-ucs143-amd64" returns error 0x800700C1, which <https://markcz.wordpress.com/2013/01/26/signtool-exe-returned-error-0x800700c1/> indicates, that the Linux-4.1 kernel might be signed already:

$ cmp -l -b /boot/vmlinuz-3.16.0-ucs135-amd64 /boot/vmlinuz-3.16.0-ucs135-amd64.efi.signed
    219   0 ^@    14 ^L
    220   0 ^@   106 F
    221   0 ^@    77 ?
    299   0 ^@   200 M-^@
    300   0 ^@    63 3
    301   0 ^@    77 ?
    303   0 ^@   120 P
    304   0 ^@    17 ^O

$ hte /boot/vmlinuz-3.16.0-ucs135-amd64.efi.signed
* PE header at offset 0x00000082
[-] optional header: NT fields
  checksum                                          003f460c
[-] optional header: directories
  security directory           (rva/size)           003f3380 00000f50 raw

But running "hte vmlinuz-4.1.0-ucs143-amd64" shows both fiels to be zero.

TBC...

Comment 5 Philipp Hahn 2015-09-22 13:22:56 CEST

# diff <(pedump /boot/vmlinuz-3.16.0-ucs135-amd64) <(pedump /boot/vmlinuz-4.1.0-ucs143-amd64)
<               SectionAlignment:         32          0x20
---
>               SectionAlignment:    2097152      0x200000

$ git show aeffc4928ea21aab3c7be72f00e257799b661c29
commit aeffc4928ea21aab3c7be72f00e257799b661c29
Author: Michael Brown <mbrown@fensystems.co.uk>
Date:   Thu Jul 10 16:59:23 2014 +0100

    x86/efi: Request desired alignment via the PE/COFF headers
    
    The EFI boot stub goes to great pains to relocate the kernel image to
    an appropriately aligned address, as indicated by the ->kernel_alignment
    field in the bzImage header.  However, for the PE stub entry case, we
    can request that the EFI PE/COFF loader do the work for us.
    
    Fix by exposing the desired alignment via the SectionAlignment field
    in the PE/COFF headers.  Despite its name, this field provides an
    overall alignment requirement for the loaded file.  (Naturally, the
    FileAlignment field describes the alignment for individual sections.)
    
    There is no way in the PE/COFF headers to express the concept of
    min_alignment; we therefore do not expose the minimum (as opposed to
    preferred) alignment.
    
    Signed-off-by: Michael Brown <mbrown@fensystems.co.uk>
    Signed-off-by: Matt Fleming <matt.fleming@intel.com>

diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
index 84c2234..1fdb350 100644
--- a/arch/x86/boot/header.S
+++ b/arch/x86/boot/header.S
@@ -155,7 +155,7 @@ extra_header_fields:
 #else
        .quad   0                               # ImageBase
 #endif
-       .long   0x20                            # SectionAlignment
+       .long   CONFIG_PHYSICAL_ALIGN           # SectionAlignment
        .long   0x20                            # FileAlignment
        .word   0                               # MajorOperatingSystemVersion
        .word   0                               # MinorOperatingSystemVersion

Reverting that commit make the kernel image acceptable for signtool.exe.
The patch is scheduled for revert: <http://git.kernel.org/cgit/linux/kernel/git/tip/tip.git/patch/?id=fa5c35011a8d5f3d0c597a6336107eafd1b6046c>

r15297 | signtool revert
r15298 | dpkg-parsechangelog  is too old:
> dpkg-parsechangelog: unknown option `-SDistribution'
> dpkg-parsechangelog: unknown option `-SDate'

Package: linux
Version: 4.1.6-1.149.201509211611
Branch: ucs_4.1-0

r63869 | Bug #38873: linux-4.1.6

Package: univention-kernel-image
Version: 9.0.0-1.80.201509220835
Branch: ucs_4.1-0

r63870 | Bug #38873: linux-4.1.6

Package: univention-kernel-image-signed
Version: 2.0.0-1.8.201509220909
Branch: ucs_4.1-0


OK: amd64 @ kvm
OK: i386 @ kvm
OK: amd64 @ xen12
FAIL: amd64 @ OVMF: Grub refuses to load the kernel: "Invalid signature"



FYI: There are two tools to sign the Linux kernel using Linux tools <https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools>:
- <git://kernel.ubuntu.com/jk/sbsigntool>
- <https://github.com/rhinstaller/pesign>

Comment 6 Stefan Gohmann 2015-10-01 08:25:05 CEST

Created attachment 7194 [details]
installer-kernel.png

Comment 7 Stefan Gohmann 2015-10-01 08:28:12 CEST

(In reply to Stefan Gohmann from comment #6)
> Created attachment 7194 [details]
> installer-kernel.png

During the installation, the installer asks which kernel should be installed.

Comment 8 Philipp Hahn 2015-10-01 15:28:31 CEST

(In reply to Stefan Gohmann from comment #7)
> During the installation, the installer asks which kernel should be installed.

Not a bug of the Kernel.
Fixed otherwise.
Works-for-me with isotests/ucs_4.1-0-20151001-141500-dvd-amd64.iso

Comment 9 Stefan Gohmann 2015-10-01 17:38:48 CEST

(In reply to Philipp Hahn from comment #8)
> Not a bug of the Kernel.
> Fixed otherwise.
> Works-for-me with isotests/ucs_4.1-0-20151001-141500-dvd-amd64.iso

It looks like you or someone else build the debian-installer for this DVD. This seems to fix the issue. Good to know.

Upgrade: OK (small adjustment r64132)

Installation in KVM: OK

Installation on hardware: OK

The rest will be tested via Bug #38872.

Comment 10 Stefan Gohmann 2015-11-17 12:11:57 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".