From 1421670670deacbdc902f8b9a7e84aa51cfbc6c3 Mon Sep 17 00:00:00 2001
From: Daniel Drake <drake@endlessm.com>
Date: Tue, 10 Mar 2015 16:05:44 -0600
Subject: [PATCH] Endless packaging customizations

Allow linux-initramfs-tool to provide initramfs as we use dracut.

Disable various things we don't use:
 - lowlatency flavour
 - udebs
 - ABI checking
 - Module symbol checking
 - Cloud tools
 - Docs (and trim down the build dependencies that came from this)
 - ZFS (T19536)

Build source package, needed for cross-toolchain-base (T10613).

Brand as "Endless" rather than Ubuntu.

Avoid overwriting OBS-generated changelog.

Add .gitattributes to simplify changelog merging.

Allow installation of signed linux-image packages. We create these
with kernels signed for UEFI. These packages are identical to the unsigned
linux-images but with the vmlinuz file signed. In order to let these new
packages install correctly, they need to conflict with the normal unsigned
packages. Likewise, the linux-image-extra modules packages need to allow
them as an alternate dependency. (T12944)

Add a version to the -extra package dependency on -signed-image. When
secure boot is enabled, it's not possible to load the modules in a kernel
build at a different time because a different transient module signing key
is used for each build. (T16069)

Add the Endless certificate as a trusted key, in order to sign certain
external modules with the corresponding private key (T19170)

Extend the list of staging modules that get signed based on
hardware that we support (T22451).

Remove Testsuite-Triggers dependencies because we don't use this test
script, and packages listed here will be identified as required in our
distro maintenance scripts.

The Debian linux-base version that we ship should be new enough, so drop
the specific ubuntu package version requirement.

Disable the any_signed codepath, which causes the package names to change.
We would ideally modify our signer to work with the new names but that's a
little inconvenient as the same signer needs to support multiple branches.

Disable DKMS nvidia build. We have our own separate setup for this (T26270).
Also disable vbox dkms build as it requires internet access during
the build process, unavailable on Debian & Endless.

Based on earlier changes by Dan Nicholson and others.
---
 .gitattributes                               |  1 +
 .gitignore                                   |  1 +
 certs/endless.pem                            | 19 ++++++++++++++++
 debian.master/config/config.common.ubuntu    |  2 +-
 debian.master/control.d/flavour-control.stub |  7 +++---
 debian.master/control.stub.in                |  2 --
 debian.master/rules.d/amd64.mk               |  2 +-
 debian.master/rules.d/armhf.mk               |  2 +-
 debian.master/rules.d/i386.mk                |  2 +-
 debian/rules                                 | 23 +++++++++++++++++++-
 debian/rules.d/0-common-vars.mk              | 10 ++-------
 debian/rules.d/2-binary-arch.mk              |  4 ----
 debian/tests/control                         |  1 -
 drivers/staging/signature-inclusion          |  3 +++
 14 files changed, 56 insertions(+), 23 deletions(-)
 create mode 100644 certs/endless.pem

diff --git a/.gitattributes b/.gitattributes
index 89c411b5ce6bb..0e05a981f2b46 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 *.c   diff=cpp
 *.h   diff=cpp
+debian.master/changelog merge=dpkg-mergechangelogs
diff --git a/.gitignore b/.gitignore
index 7be34dda024c0..45eb2ba83a48d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -88,6 +88,7 @@ modules.builtin
 !.get_maintainer.ignore
 !.gitattributes
 !.gitignore
+!.gitattributes
 !.mailmap
 
 #
diff --git a/certs/endless.pem b/certs/endless.pem
new file mode 100644
index 0000000000000..fb351026e9648
--- /dev/null
+++ b/certs/endless.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/jCCAeagAwIBAgIFAKvpTEYwDQYJKoZIhvcNAQELBQAwITEfMB0GA1UEAxMW
+RW5kbGVzcyBTZWN1cmUgQm9vdCBDQTAeFw0xNzEyMDExNzA2MDlaFw0xOTEyMDEx
+NzA2MDlaMCUxIzAhBgNVBAMTGkVuZGxlc3MgU2VjdXJlIEJvb3QgU2lnbmVyMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypuOktPNFGgcPBuE6p81oA/N
+QKEgtNNDYVvDjNgV+uWMU6HYpxy5S08DOHMnOGqBSGKgbT7Lc3F7Ku3tB+NLfHXu
+nIfOMb4KwBagwPb+NyNggKFm1yG1IA0mfUY3LdlD6WeLupUpMcb1N2c+LGbiV75C
+2v9++P3rzwp/1ThIpBlb2XennDm0wnRtDtMnZMhfw4nnrjMBf3QHQ/30LCQ/K15T
+rLgFFEqX7ay2LQ68XaKcrwnJ5v/qjWpoS75nCxfwi1BKBKMYi5FSAVjrG4QhULMg
+RSj+Z20BsRQSAAjDISjmbPCTH9/D1TYlnbZ+LiRyku6XLuzIbZPtu4/84EL1cQID
+AQABozkwNzARBglghkgBhvhCAQEEBAMCBBAwFQYDVR0lBA4wDAYKKwYBBAGCNwoD
+ATALBgNVHQ8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBAFJJ+inyouuPSk9+KeEV
+DxAOq+SYlF2evJXEVTneizgJfeqwih9c1lYW3zMJjmf4dM/DmeTcAAgZJFSLDiS4
+SM/z9ork4sb0tHn7vc34vkMTLR3JGBfxz+z2RreTACXkyMIKbgux5PhYEeviL1S7
+k3AkgoG07f3pr/9UetqPALxOlMBKQGh73k/2XWVDSR+ce+ntxJA+xuEbQiApM65I
+V+HGDLblqJr0BnwKgrE/mllOnnyFLNLH+B4qKSzofAqtSN1gSV4rsuQU3sGD1Ebz
+GJH6xQ/AGcRt2a6ZSY+fLT7Njdcx19r5I2EjX9wcxx1aZ/q7Xr75xOGEvffMydy4
+Mic=
+-----END CERTIFICATE-----
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 6039887a121a6..75913266dbcdc 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -9693,7 +9693,7 @@ CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
-CONFIG_SYSTEM_TRUSTED_KEYS=""
+CONFIG_SYSTEM_TRUSTED_KEYS="certs/endless.pem"
 CONFIG_SYSVIPC=y
 CONFIG_SYSVIPC_COMPAT=y
 CONFIG_SYSVIPC_SYSCTL=y
diff --git a/debian.master/control.d/flavour-control.stub b/debian.master/control.d/flavour-control.stub
index ee041f9f060a2..1aee4158c5e76 100644
--- a/debian.master/control.d/flavour-control.stub
+++ b/debian.master/control.d/flavour-control.stub
@@ -27,11 +27,12 @@ Architecture: ARCH
 Section: kernel
 Priority: optional
 Provides: linux-image, fuse-module, aufs-dkms, =PROVIDES=${linux:rprovides}
-Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base (>= 4.5ubuntu1~16.04.1), linux-modules-PKGVER-ABINUM-FLAVOUR
+Depends: ${misc:Depends}, ${shlibs:Depends}, kmod, linux-base, linux-modules-PKGVER-ABINUM-FLAVOUR
 Recommends: BOOTLOADER, initramfs-tools | linux-initramfs-tool
 Breaks: flash-kernel (<< 3.90ubuntu2) [arm64 armhf], s390-tools (<< 2.3.0-0ubuntu3) [s390x]
-Conflicts: linux-image=SIGN-PEER-PKG=-PKGVER-ABINUM-FLAVOUR
+Conflicts: linux-signed-image-PKGVER-ABINUM-FLAVOUR
 Suggests: fdutils, SRCPKGNAME-doc-PKGVER | SRCPKGNAME-source-PKGVER, SRCPKGNAME-tools, linux-headers-PKGVER-ABINUM-FLAVOUR
+Replaces: linux-signed-image-PKGVER-ABINUM-FLAVOUR
 Description: Linux kernel image for version PKGVER on DESC
  This package contains the=SIGN-ME-TXT= Linux kernel image for version PKGVER on
  DESC.
@@ -69,7 +70,7 @@ Build-Profiles: <!stage1>
 Architecture: ARCH
 Section: kernel
 Priority: optional
-Depends: ${misc:Depends}, ${shlibs:Depends}, linux-image-PKGVER-ABINUM-FLAVOUR | linux-image-unsigned-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
+Depends: ${misc:Depends}, ${shlibs:Depends}, linux-signed-image-PKGVER-ABINUM-FLAVOUR (= ${source:Version}) [amd64] | linux-image-PKGVER-ABINUM-FLAVOUR, crda | wireless-crda
 Description: Linux kernel extra modules for version PKGVER on DESC
  This package contains the Linux kernel extra modules for version PKGVER on
  DESC.
diff --git a/debian.master/control.stub.in b/debian.master/control.stub.in
index 04d677f8b7179..bd1bf1749fb15 100644
--- a/debian.master/control.stub.in
+++ b/debian.master/control.stub.in
@@ -40,8 +40,6 @@ Build-Depends:
  wget <!stage1>,
 Build-Depends-Indep:
  xmlto <!stage1>,
- docbook-utils <!stage1>,
- ghostscript <!stage1>,
  fig2dev <!stage1>,
  bzip2 <!stage1>,
  sharutils <!stage1>,
diff --git a/debian.master/rules.d/amd64.mk b/debian.master/rules.d/amd64.mk
index d17467e63683a..63db030649ba3 100644
--- a/debian.master/rules.d/amd64.mk
+++ b/debian.master/rules.d/amd64.mk
@@ -2,7 +2,7 @@ human_arch	= 64 bit x86
 build_arch	= x86
 header_arch	= $(build_arch)
 defconfig	= defconfig
-flavours	= generic lowlatency
+flavours	= generic
 build_image	= bzImage
 kernel_file	= arch/$(build_arch)/boot/bzImage
 install_file	= vmlinuz
diff --git a/debian.master/rules.d/armhf.mk b/debian.master/rules.d/armhf.mk
index d516ae13454c9..e172f52c25bf3 100644
--- a/debian.master/rules.d/armhf.mk
+++ b/debian.master/rules.d/armhf.mk
@@ -2,7 +2,7 @@ human_arch	= ARM (hard float)
 build_arch	= arm
 header_arch	= arm
 defconfig	= defconfig
-flavours	= generic generic-lpae
+flavours	= generic
 build_image	= zImage
 kernel_file	= arch/$(build_arch)/boot/zImage
 install_file	= vmlinuz
diff --git a/debian.master/rules.d/i386.mk b/debian.master/rules.d/i386.mk
index ca34b9759d1ed..58bd8f13621b2 100644
--- a/debian.master/rules.d/i386.mk
+++ b/debian.master/rules.d/i386.mk
@@ -2,7 +2,7 @@ human_arch	= 32 bit x86
 build_arch	= i386
 header_arch	= $(build_arch)
 defconfig	= defconfig
-flavours        = generic lowlatency
+flavours        = generic
 build_image	= bzImage
 kernel_file	= arch/$(build_arch)/boot/bzImage
 install_file	= vmlinuz
diff --git a/debian/rules b/debian/rules
index 0953195f5ab18..df6bcee0b82cc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -39,6 +39,16 @@ do_tools_common?=true
 do_tools_host?=false
 do_tools_perf_jvmti?=false
 
+# Endless customizations
+skipabi=true
+skipmodule=true
+skipretpoline=true
+do_cloud_tools=false
+do_doc_package=false
+do_zfs=false
+do_dkms_nvidia=false
+do_dkms_vbox=false
+
 # Don't build tools or udebs in a cross compile environment.
 ifneq ($(DEB_HOST_ARCH),$(DEB_BUILD_ARCH))
 	do_tools=false
@@ -50,6 +60,7 @@ endif
 
 # Are any of the kernel signing options enabled.
 any_signed=$(sort $(filter-out false,$(uefi_signed) $(opal_signed)))
+any_signed=false
 ifeq ($(any_signed),true)
 bin_pkg_name=$(bin_pkg_name_unsigned)
 else
@@ -135,7 +146,17 @@ clean: debian/control
 
 	# This gets rid of the d-i packages in control
 	cp -f $(DEBIAN)/control.stub $(DROOT)/control
-	cp $(DEBIAN)/changelog debian/changelog
+
+	# Hack: OBS adds a new version in debian/changelog. We want to
+	# preserve that, but most of the rules read from the master
+	# changelog. Keep them in sync here and preserve timestamps.
+	if [ ! -f debian/changelog ]; then \
+		cp -p $(DEBIAN)/changelog debian/changelog; \
+	elif [ $(DEBIAN)/changelog -nt debian/changelog ]; then \
+		cp -p $(DEBIAN)/changelog debian/changelog; \
+	elif [ debian/changelog -nt $(DEBIAN)/changelog ]; then \
+		cp -p debian/changelog $(DEBIAN)/changelog; \
+	fi
 
 	# Install the copyright information.
 	cp $(DEBIAN)/copyright debian/copyright
diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk
index bcab5749f8aa5..e684c7b3e8e36 100644
--- a/debian/rules.d/0-common-vars.mk
+++ b/debian/rules.d/0-common-vars.mk
@@ -79,7 +79,7 @@ abi_release	:= $(release)-$(abinum)
 
 uploadnum	:= $(shell echo $(revision) | sed -r -e 's/[^\+~]*\.([^\.~]+(~.*)?(\+.*)?$$)/\1/')
 ifneq ($(full_build),false)
-  uploadnum	:= $(uploadnum)-Ubuntu
+  uploadnum	:= $(uploadnum)-Endless
 endif
 
 # XXX: linux-libc-dev got bumped to -803.N inadvertantly by a ti-omap4 upload
@@ -153,15 +153,9 @@ do_doc_package_content=false
 endif
 doc_pkg_name=$(src_pkg_name)-doc
 
-#
-# Similarly with the linux-source package, you need not build it as a developer. Its
-# somewhat I/O intensive and utterly useless.
-#
+# linux-source is used to build cross-compilers, default to building it.
 do_source_package=true
 do_source_package_content=true
-ifeq ($(full_build),false)
-do_source_package_content=false
-endif
 
 # linux-libc-dev may not be needed, default to building it.
 do_libc_dev_package=true
diff --git a/debian/rules.d/2-binary-arch.mk b/debian/rules.d/2-binary-arch.mk
index f3ab06748cf69..8774560b497d0 100644
--- a/debian/rules.d/2-binary-arch.mk
+++ b/debian/rules.d/2-binary-arch.mk
@@ -752,11 +752,7 @@ build-arch-deps-$(do_flavour_image_package) += $(addprefix $(stampdir)/stamp-bui
 build-arch: $(build-arch-deps-true)
 	@echo Debug: $@
 
-ifeq ($(AUTOBUILD),)
-binary-arch-deps-$(do_flavour_image_package) += binary-udebs
-else
 binary-arch-deps-$(do_flavour_image_package) = binary-debs
-endif
 binary-arch-deps-$(do_libc_dev_package) += binary-arch-headers
 ifneq ($(do_common_headers_indep),true)
 binary-arch-deps-$(do_flavour_header_package) += binary-headers
diff --git a/debian/tests/control b/debian/tests/control
index 4b80100ceb663..d8f4bfb6bd311 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -3,5 +3,4 @@ Depends: @builddeps@, fakeroot
 Restrictions: allow-stderr, skippable
 
 Tests: ubuntu-regression-suite
-Depends: build-essential, gcc-multilib [amd64 armhf i386], gdb, git, bzr
 Restrictions: allow-stderr, isolation-machine, breaks-testbed, skippable
diff --git a/drivers/staging/signature-inclusion b/drivers/staging/signature-inclusion
index f7f19616a9fcc..e67aafb9b2906 100644
--- a/drivers/staging/signature-inclusion
+++ b/drivers/staging/signature-inclusion
@@ -17,3 +17,6 @@ rtllib_crypt_ccmp.ko
 rtllib_crypt_tkip.ko
 rtllib_crypt_wep.ko
 rtllib.ko
+r8723bs.ko
+r8822be.ko
+vboxvideo.ko