Retrofit 5.15 support

* Allow varying the base distro in the Dockerfile * Add conditionals to d/rules to vary how we build the kernel packages * Add tinyconfig from 5.15.153
freedomofpress · Apr 1, 2024 · 9dde4a0 · 9dde4a0
1 parent cdc93c7
commit 9dde4a0
Show file tree

Hide file tree

Showing 7 changed files with 221 additions and 149 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
-# debian:buster 2021-12-20
-FROM debian:bookworm
+ARG BUILD_DISTRO=bookworm
+FROM debian:$BUILD_DISTRO
 
 ARG UID=1000
 ARG GID=1000
@@ -17,7 +17,6 @@ RUN apt-get update && \
     debhelper \
     fakeroot \
     flex \
-    gcc-12-plugin-dev \
     git \
     kmod \
     libelf-dev \
@@ -30,6 +29,9 @@ RUN apt-get update && \
     rsync \
     wget \
     xz-utils
+# See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657962, there's no
+# unversioned name for this package
+RUN apt-get install --yes gcc-$(gcc -dumpversion)-plugin-dev
 
 RUN groupadd -g ${GID} ${USERNAME} && useradd -m -d /home/${USERNAME} -g ${GID} -u ${UID} ${USERNAME}
 

diff --git a/Makefile b/Makefile
@@ -3,10 +3,12 @@ IMG_NAME = fpf.local/kernel-builder
 SCRIPT_OUTPUT_PREFIX=$(PWD)/build/$(shell date +%Y%m%d)
 SCRIPT_OUTPUT_EXT=log
 
-.PHONY: vanilla
-vanilla: OUT:=$(SCRIPT_OUTPUT_PREFIX)-vanilla.$(SCRIPT_OUTPUT_EXT)
-vanilla: ## Builds latest stable kernel, unpatched
-	LINUX_MAJOR_VERSION="5.15" \
+.PHONY: tiny-5.15
+tiny-5.15: OUT:=$(SCRIPT_OUTPUT_PREFIX)-tiny-5.15.$(SCRIPT_OUTPUT_EXT)
+tiny-5.15: ## Builds latest 5.15 kernel, unpatched
+	LINUX_MAJOR_VERSION="5.15" LOCALVERSION="tiny" \
+		BUILD_DISTRO="buster" \
+		LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/tinyconfig-5.15" \
 		script \
 		--command ./scripts/build-kernel-wrapper \
 		--return \
@@ -45,6 +47,7 @@ reprotest-sd: ## DEBUG Builds SD kernel config without grsec in CI
 securedrop-core-5.15: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-core-5.15.$(SCRIPT_OUTPUT_EXT)
 securedrop-core-5.15: ## Builds kernels for SecureDrop servers, 5.15.x
 	GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable6 LOCALVERSION="securedrop" \
+		BUILD_DISTRO="buster" \
 		LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/config-securedrop-5.15" \
 		LINUX_LOCAL_PATCHES_PATH="$(PWD)/patches" \
 		script \
@@ -55,6 +58,7 @@ securedrop-core-5.15: ## Builds kernels for SecureDrop servers, 5.15.x
 securedrop-workstation-5.15: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-workstation-5.15.$(SCRIPT_OUTPUT_EXT)
 securedrop-workstation-5.15: ## Builds kernels for SecureDrop Workstation, 5.15.x
 	GRSECURITY=1 GRSECURITY_PATCH_TYPE=stable6 LOCALVERSION="-workstation" \
+		BUILD_DISTRO="buster" \
 		LINUX_LOCAL_CONFIG_PATH="$(PWD)/configs/config-workstation-5.15" \
 		script \
 		--command ./scripts/build-kernel-wrapper \

diff --git a/build-kernel.py b/build-kernel.py
@@ -143,6 +143,8 @@ def main():
         "local_version": local_version,
     }
 
+    # TODO: d/arch is only needed for 5.15 kernels
+    render_template("debian/arch", template_variables)
     render_template("debian/control", template_variables)
     render_template("debian/changelog", template_variables)
     render_template("debian/rules.vars", template_variables)