Endless packaging customizations

Allow linux-initramfs-tool to provide initramfs as we use dracut.

Disable various things we don't use:
 - lowlatency flavour
 - udebs
 - ABI checking
 - Module symbol checking
 - Cloud tools
 - Docs (and trim down the build dependencies that came from this)
 - ZFS (T19536)

Build source package, needed for cross-toolchain-base (T10613).

Brand as "Endless" rather than Ubuntu.

Avoid overwriting OBS-generated changelog.

Add .gitattributes to simplify changelog merging.

Allow installation of signed linux-image packages. We create these
with kernels signed for UEFI. These packages are identical to the unsigned
linux-images but with the vmlinuz file signed. In order to let these new
packages install correctly, they need to conflict with the normal unsigned
packages. Likewise, the linux-image-extra modules packages need to allow
them as an alternate dependency. (T12944)

Add a version to the -extra package dependency on -signed-image. When
secure boot is enabled, it's not possible to load the modules in a kernel
build at a different time because a different transient module signing key
is used for each build. (T16069)

Add the Endless certificate as a trusted key, in order to sign certain
external modules with the corresponding private key (T19170)

Extend the list of staging modules that get signed based on
hardware that we support (T22451).

Remove Testsuite-Triggers dependencies because we don't use this test
script, and packages listed here will be identified as required in our
distro maintenance scripts.

The Debian linux-base version that we ship should be new enough, so drop
the specific ubuntu package version requirement.

Disable the any_signed codepath, which causes the package names to change.
We would ideally modify our signer to work with the new names but that's a
little inconvenient as the same signer needs to support multiple branches.

Disable DKMS nvidia build. We have our own separate setup for this (T26270).
Also disable vbox dkms build as it requires internet access during
the build process, unavailable on Debian & Endless.

Based on earlier changes by Dan Nicholson and others.

.gitattributes

@@ -1,2 +1,3 @@
 *.c   diff=cpp
 *.h   diff=cpp
+debian.master/changelog merge=dpkg-mergechangelogs

.gitignore

@@ -88,6 +88,7 @@ modules.builtin
 !.get_maintainer.ignore
 !.gitattributes
 !.gitignore
+!.gitattributes
 !.mailmap
 
 #

certs/endless.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIFAKvpTEYwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAxMW
+RW5kbGVzcyBTZWN1cmUgQm9vdCBDQTAeFw0xNzEyMDExNzA2MDlaFw0xOTEyMDEx
+NzA2MDlaMCUxIzAhBgNVBAMTGkVuZGxlc3MgU2VjdXJlIEJvb3QgU2lnbmVyMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypuOktPNFGgcPBuE6p81oA/N
+QKEgtNNDYVvDjNgV+uWMU6HYpxy5S08DOHMnOGqBSGKgbT7Lc3F7Ku3tB+NLfHXu
+nIfOMb4KwBagwPb+NyNggKFm1yG1IA0mfUY3LdlD6WeLupUpMcb1N2c+LGbiV75C
+2v9++P3rzwp/1ThIpBlb2XennDm0wnRtDtMnZMhfw4nnrjMBf3QHQ/30LCQ/K15T
+rLgFFEqX7ay2LQ68XaKcrwnJ5v/qjWpoS75nCxfwi1BKBKMYi5FSAVjrG4QhULMg
+RSj+Z20BsRQSAAjDISjmbPCTH9/D1TYlnbZ+LiRyku6XLuzIbZPtu4/84EL1cQID
+AQABozkwNzARBglghkgBhvhCAQEEBAMCBBAwFQYDVR0lBA4wDAYKKwYBBAGCNwoD
+ATALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFJJ+inyouuPSk9+KeEV
+DxAOq+SYlF2evJXEVTneizgJfeqwih9c1lYW3zMJjmf4dM/DmeTcAAgZJFSLDiS4
+SM/z9ork4sb0tHn7vc34vkMTLR3JGBfxz+z2RreTACXkyMIKbgux5PhYEeviL1S7
+k3AkgoG07f3pr/9UetqPALxOlMBKQGh73k/2XWVDSR+ce+ntxJA+xuEbQiApM65I
+V+HGDLblqJr0BnwKgrE/mllOnnyFLNLH+B4qKSzofAqtSN1gSV4rsuQU3sGD1Ebz
+GJH6xQ/AGcRt2a6ZSY+fLT7Njdcx19r5I2EjX9wcxx1aZ/q7Xr75xOGEvffMydy4
+Mic=
+-----END CERTIFICATE-----

debian.master/config/config.common.ubuntu

@@ -9693,7 +9693,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="certs/endless.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y

debian.master/control.d/flavour-control.stub

@@ -27,11 +27,12 @@ Architecture: ARCH
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, aufs-dkms, =PROVIDES=${linux:rprovides}
-Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-PKGVER-ABINUM-FLAVOUR
+Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base, linux-modules-PKGVER-ABINUM-FLAVOUR
 Recommends: BOOTLOADER, initramfs-tools | linux-initramfs-tool
 Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x]
-Conflicts: linux-image=SIGN-PEER-PKG=-PKGVER-ABINUM-FLAVOUR
+Conflicts: linux-signed-image-PKGVER-ABINUM-FLAVOUR
 Suggests: fdutils, SRCPKGNAME-doc-PKGVER | SRCPKGNAME-source-PKGVER, SRCPKGNAME-tools, linux-headers-PKGVER-ABINUM-FLAVOUR
+Replaces: linux-signed-image-PKGVER-ABINUM-FLAVOUR
 Description: Linux kernel image for version PKGVER on DESC
  This package contains the=SIGN-ME-TXT= Linux kernel image for version PKGVER on
  DESC.
@@ -69,7 +70,7 @@ Build-Profiles: <!stage1>
 Architecture: ARCH
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR | linux-image-unsigned-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-signed-image-PKGVER-ABINUM-FLAVOUR (= ${source:Version}) [amd64] | linux-image-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
 Description: Linux kernel extra modules for version PKGVER on DESC
  This package contains the Linux kernel extra modules for version PKGVER on
  DESC.

debian.master/control.stub.in

@@ -40,8 +40,6 @@ Build-Depends:
  wget <!stage1>,
 Build-Depends-Indep:
  xmlto <!stage1>,
- docbook-utils <!stage1>,
- ghostscript <!stage1>,
  fig2dev <!stage1>,
  bzip2 <!stage1>,
  sharutils <!stage1>,

debian.master/rules.d/amd64.mk

@@ -2,7 +2,7 @@ human_arch	= 64 bit x86
 build_arch	= x86
 header_arch	= $(build_arch)
 defconfig	= defconfig
-flavours	= generic lowlatency
+flavours	= generic
 build_image	= bzImage
 kernel_file	= arch/$(build_arch)/boot/bzImage
 install_file	= vmlinuz

debian.master/rules.d/armhf.mk

@@ -2,7 +2,7 @@ human_arch	= ARM (hard float)
 build_arch	= arm
 header_arch	= arm
 defconfig	= defconfig
-flavours	= generic generic-lpae
+flavours	= generic
 build_image	= zImage
 kernel_file	= arch/$(build_arch)/boot/zImage
 install_file	= vmlinuz

debian.master/rules.d/i386.mk

@@ -2,7 +2,7 @@ human_arch	= 32 bit x86
 build_arch	= i386
 header_arch	= $(build_arch)
 defconfig	= defconfig
-flavours        = generic lowlatency
+flavours        = generic
 build_image	= bzImage
 kernel_file	= arch/$(build_arch)/boot/bzImage
 install_file	= vmlinuz

debian/rules

@@ -39,6 +39,16 @@ do_tools_common?=true
 do_tools_host?=false
 do_tools_perf_jvmti?=false
 
+# Endless customizations
+skipabi=true
+skipmodule=true
+skipretpoline=true
+do_cloud_tools=false
+do_doc_package=false
+do_zfs=false
+do_dkms_nvidia=false
+do_dkms_vbox=false
+
 # Don't build tools or udebs in a cross compile environment.
 ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
 	do_tools=false
@@ -50,6 +60,7 @@ endif
 
 # Are any of the kernel signing options enabled.
 any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
+any_signed=false
 ifeq ($(any_signed),true)
 bin_pkg_name=$(bin_pkg_name_unsigned)
 else
@@ -135,7 +146,17 @@ clean: debian/control
 
 	# This gets rid of the d-i packages in control
 	cp -f $(DEBIAN)/control.stub $(DROOT)/control
-	cp $(DEBIAN)/changelog debian/changelog
+
+	# Hack: OBS adds a new version in debian/changelog. We want to
+	# preserve that, but most of the rules read from the master
+	# changelog. Keep them in sync here and preserve timestamps.
+	if [ ! -f debian/changelog ]; then \
+		cp -p $(DEBIAN)/changelog debian/changelog; \
+	elif [ $(DEBIAN)/changelog -nt debian/changelog ]; then \
+		cp -p $(DEBIAN)/changelog debian/changelog; \
+	elif [ debian/changelog -nt $(DEBIAN)/changelog ]; then \
+		cp -p debian/changelog $(DEBIAN)/changelog; \
+	fi
 
 	# Install the copyright information.
 	cp $(DEBIAN)/copyright debian/copyright

debian/rules.d/0-common-vars.mk

@@ -79,7 +79,7 @@ abi_release	:= $(release)-$(abinum)
 
 uploadnum	:= $(shell echo $(revision) | sed -r -e 's/[^\+~]*\.([^\.~]+(~.*)?(\+.*)?$$)/\1/')
 ifneq ($(full_build),false)
-  uploadnum	:= $(uploadnum)-Ubuntu
+  uploadnum	:= $(uploadnum)-Endless
 endif
 
 # XXX: linux-libc-dev got bumped to -803.N inadvertantly by a ti-omap4 upload
@@ -153,15 +153,9 @@ do_doc_package_content=false
 endif
 doc_pkg_name=$(src_pkg_name)-doc
 
-#
-# Similarly with the linux-source package, you need not build it as a developer. Its
-# somewhat I/O intensive and utterly useless.
-#
+# linux-source is used to build cross-compilers, default to building it.
 do_source_package=true
 do_source_package_content=true
-ifeq ($(full_build),false)
-do_source_package_content=false
-endif
 
 # linux-libc-dev may not be needed, default to building it.
 do_libc_dev_package=true

debian/rules.d/2-binary-arch.mk

@@ -752,11 +752,7 @@ build-arch-deps-$(do_flavour_image_package) += $(addprefix $(stampdir)/stamp-bui
 build-arch: $(build-arch-deps-true)
 	@echo Debug: $@
 
-ifeq ($(AUTOBUILD),)
-binary-arch-deps-$(do_flavour_image_package) += binary-udebs
-else
 binary-arch-deps-$(do_flavour_image_package) = binary-debs
-endif
 binary-arch-deps-$(do_libc_dev_package) += binary-arch-headers
 ifneq ($(do_common_headers_indep),true)
 binary-arch-deps-$(do_flavour_header_package) += binary-headers

debian/tests/control

@@ -3,5 +3,4 @@ Depends: @builddeps@, fakeroot
 Restrictions: allow-stderr, skippable
 
 Tests: ubuntu-regression-suite
-Depends: build-essential, gcc-multilib [amd64 armhf i386], gdb, git, bzr
 Restrictions: allow-stderr, isolation-machine, breaks-testbed, skippable

drivers/staging/signature-inclusion

@@ -17,3 +17,6 @@ rtllib_crypt_ccmp.ko
 rtllib_crypt_tkip.ko
 rtllib_crypt_wep.ko
 rtllib.ko
+r8723bs.ko
+r8822be.ko
+vboxvideo.ko