Apply mkdebian changes to 6.6

And adapt build-kernel.sh to copy those in as desired.

Dockerfile

@@ -35,7 +35,7 @@ RUN groupadd -g ${GID} ${USERNAME} && useradd -m -d /home/${USERNAME} -g ${GID}
 
 COPY build-kernel.sh /usr/local/bin/build-kernel.sh
 COPY grsecurity-urls.py /usr/local/bin/grsecurity-urls.py
-COPY scripts/mkdebian /usr/local/bin/mkdebian
+COPY scripts/ /scripts
 
 COPY securedrop-grsec /securedrop-grsec
 COPY securedrop-workstation-grsec /securedrop-workstation-grsec

build-kernel.sh

@@ -73,7 +73,11 @@ if [[ -e /patches-grsec && -n "$GRSECURITY" && "$GRSECURITY" = "1" ]]; then
 fi
 
 echo "Copying in our mkdebian"
-cp /usr/local/bin/mkdebian scripts/package/mkdebian
+cp "/scripts/mkdebian-${LINUX_MAJOR_VERSION}" scripts/package/mkdebian
+if [[ -f "/scripts/rules-${LINUX_MAJOR_VERSION}" ]]; then
+    echo "Copying in our debian/rules"
+    cp "/scripts/rules-${LINUX_MAJOR_VERSION}" scripts/package/debian/rules
+fi
 
 if [[ "$LOCALVERSION" = "-workstation" ]]; then
     echo "Copying in our securedrop-workstation-grsec"

scripts/mkdebian-6.6

@@ -0,0 +1,311 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# Copyright 2003 Wichert Akkerman <[email protected]>
+#
+# Simple script to generate a debian/ directory for a Linux kernel.
+
+set -e
+
+is_enabled() {
+	grep -q "^$1=y" include/config/auto.conf
+}
+
+if_enabled_echo() {
+	if is_enabled "$1"; then
+		echo -n "$2"
+	elif [ $# -ge 3 ]; then
+		echo -n "$3"
+	fi
+}
+
+set_debarch() {
+	if [ -n "$KBUILD_DEBARCH" ] ; then
+		debarch="$KBUILD_DEBARCH"
+		return
+	fi
+
+	# Attempt to find the correct Debian architecture
+	case "$UTS_MACHINE" in
+	i386|ia64|alpha|m68k|riscv*)
+		debarch="$UTS_MACHINE" ;;
+	x86_64)
+		debarch=amd64 ;;
+	sparc*)
+		debarch=sparc$(if_enabled_echo CONFIG_64BIT 64) ;;
+	s390*)
+		debarch=s390x ;;
+	ppc*)
+		if is_enabled CONFIG_64BIT; then
+			debarch=ppc64$(if_enabled_echo CONFIG_CPU_LITTLE_ENDIAN el)
+		else
+			debarch=powerpc$(if_enabled_echo CONFIG_SPE spe)
+		fi
+		;;
+	parisc*)
+		debarch=hppa ;;
+	mips*)
+		if is_enabled CONFIG_CPU_LITTLE_ENDIAN; then
+			debarch=mips$(if_enabled_echo CONFIG_64BIT 64)$(if_enabled_echo CONFIG_CPU_MIPSR6 r6)el
+		elif is_enabled CONFIG_CPU_MIPSR6; then
+			debarch=mips$(if_enabled_echo CONFIG_64BIT 64)r6
+		else
+			debarch=mips
+		fi
+		;;
+	aarch64|arm64)
+		debarch=arm64 ;;
+	arm*)
+		if is_enabled CONFIG_AEABI; then
+			debarch=arm$(if_enabled_echo CONFIG_VFP hf el)
+		else
+			debarch=arm
+		fi
+		;;
+	openrisc)
+		debarch=or1k ;;
+	sh)
+		if is_enabled CONFIG_CPU_SH3; then
+			debarch=sh3$(if_enabled_echo CONFIG_CPU_BIG_ENDIAN eb)
+		elif is_enabled CONFIG_CPU_SH4; then
+			debarch=sh4$(if_enabled_echo CONFIG_CPU_BIG_ENDIAN eb)
+		fi
+		;;
+	esac
+	if [ -z "$debarch" ]; then
+		debarch=$(dpkg-architecture -qDEB_HOST_ARCH)
+		echo "" >&2
+		echo "** ** **  WARNING  ** ** **" >&2
+		echo "" >&2
+		echo "Your architecture doesn't have its equivalent" >&2
+		echo "Debian userspace architecture defined!" >&2
+		echo "Falling back to the current host architecture ($debarch)." >&2
+		echo "Please add support for $UTS_MACHINE to ${0} ..." >&2
+		echo "" >&2
+	fi
+}
+
+# Create debian/source/ if it is a source package build
+gen_source ()
+{
+	mkdir -p debian/source
+
+	echo "3.0 (quilt)" > debian/source/format
+
+	{
+		echo "diff-ignore"
+		echo "extend-diff-ignore = .*"
+	} > debian/source/local-options
+
+	# Add .config as a patch
+	mkdir -p debian/patches
+	{
+		echo "Subject: Add .config"
+		echo "Author: ${maintainer}"
+		echo
+		echo "--- /dev/null"
+		echo "+++ linux/.config"
+		diff -u /dev/null "${KCONFIG_CONFIG}" | tail -n +3
+	} > debian/patches/config.patch
+	echo config.patch > debian/patches/series
+
+	"${srctree}/scripts/package/gen-diff-patch" debian/patches/diff.patch
+	if [ -s debian/patches/diff.patch ]; then
+		sed -i "
+			1iSubject: Add local diff
+			1iAuthor: ${maintainer}
+			1i
+		" debian/patches/diff.patch
+
+		echo diff.patch >> debian/patches/series
+	else
+		rm -f debian/patches/diff.patch
+	fi
+}
+
+rm -rf debian
+mkdir debian
+
+email=${DEBEMAIL-$EMAIL}
+
+# use email string directly if it contains <email>
+if echo "${email}" | grep -q '<.*>'; then
+	maintainer=${email}
+else
+	# or construct the maintainer string
+	user=${KBUILD_BUILD_USER-$(id -nu)}
+	name=${DEBFULLNAME-${user}}
+	if [ -z "${email}" ]; then
+		buildhost=${KBUILD_BUILD_HOST-$(hostname -f 2>/dev/null || hostname)}
+		email="${user}@${buildhost}"
+	fi
+	maintainer="${name} <${email}>"
+fi
+
+if [ "$1" = --need-source ]; then
+	gen_source
+fi
+
+# Some variables and settings used throughout the script
+version=$KERNELRELEASE
+if [ -n "$KDEB_PKGVERSION" ]; then
+	packageversion=$KDEB_PKGVERSION
+else
+	packageversion=$(${srctree}/scripts/setlocalversion --no-local ${srctree})-$($srctree/init/build-version)
+fi
+sourcename=${KDEB_SOURCENAME:-linux-upstream}
+
+if [ "$ARCH" = "um" ] ; then
+	packagename=user-mode-linux
+else
+	packagename=linux-image
+fi
+
+debarch=
+set_debarch
+
+# Try to determine distribution
+if [ -n "$KDEB_CHANGELOG_DIST" ]; then
+        distribution=$KDEB_CHANGELOG_DIST
+# In some cases lsb_release returns the codename as n/a, which breaks dpkg-parsechangelog
+elif distribution=$(lsb_release -cs 2>/dev/null) && [ -n "$distribution" ] && [ "$distribution" != "n/a" ]; then
+        : # nothing to do in this case
+else
+        distribution="unstable"
+        echo >&2 "Using default distribution of 'unstable' in the changelog"
+        echo >&2 "Install lsb-release or set \$KDEB_CHANGELOG_DIST explicitly"
+fi
+
+echo $debarch > debian/arch
+extra_build_depends=", $(if_enabled_echo CONFIG_UNWINDER_ORC libelf-dev:native)"
+extra_build_depends="$extra_build_depends, $(if_enabled_echo CONFIG_SYSTEM_TRUSTED_KEYRING libssl-dev:native)"
+
+# Support SOURCE_DATE_EPOCH in changelog for reproducible builds
+packagetimestamp_opts=
+if [ -n "$SOURCE_DATE_EPOCH" ]; then
+    packagetimestamp_opts="-d @$SOURCE_DATE_EPOCH"
+fi
+packagetimestamp="$(date -R $packagetimestamp_opts)"
+
+# Generate a simple changelog template
+cat <<EOF > debian/changelog
+$sourcename ($packageversion) $distribution; urgency=low
+
+  * Custom built Linux kernel.
+
+ -- $maintainer  $(date -R)
+EOF
+
+# Generate copyright file
+cat <<EOF > debian/copyright
+This is a packaged upstream version of the Linux kernel.
+
+Please see <https://github.com/freedomofpress/securedrop/blob/develop/SOURCE_OFFER>
+for information on how to obtain the source code for this kernel build.
+
+Copyright: 1991 - 2024 Linus Torvalds and others.
+
+The git repository for mainline kernel development is at:
+git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; version 2 dated June, 1991.
+
+On Debian GNU/Linux systems, the complete text of the GNU General Public
+License version 2 can be found in \`/usr/share/common-licenses/GPL-2'.
+EOF
+
+# Generate a control file
+cat <<EOF > debian/control
+Source: $sourcename
+Section: kernel
+Priority: optional
+Maintainer: $maintainer
+Rules-Requires-Root: no
+Build-Depends: bc, debhelper, rsync, kmod, cpio, bison, flex $extra_build_depends
+Homepage: https://securedrop.org/
+
+Package: $packagename-$version
+Architecture: $debarch
+Description: Linux kernel, version $version
+ This package contains the Linux kernel, modules and corresponding other
+ files, version: $version.
+EOF
+
+if [ "${SRCARCH}" != um ]; then
+cat <<EOF >> debian/control
+
+Package: linux-libc-dev
+Section: devel
+Provides: linux-kernel-headers
+Architecture: $debarch
+Description: Linux support headers for userspace development
+ This package provides userspaces headers from the Linux kernel.  These headers
+ are used by the installed headers for GNU glibc and other system libraries.
+Multi-Arch: same
+EOF
+
+if [ "$LOCALVERSION" = "-workstation" ]; then
+    metapackage="securedrop-workstation-grsec"
+cat <<EOF >> debian/control
+
+Package: securedrop-workstation-grsec
+Section: admin
+Architecture: $debarch
+Pre-Depends: qubes-kernel-vm-support (>=4.0.31)
+Depends: $packagename-$version, libelf-dev, paxctld
+Description: Linux for SecureDrop Workstation template (meta-package)
+ Metapackage providing a grsecurity-patched Linux kernel for use in SecureDrop
+ Workstation Qubes templates. Depends on the most recently built patched kernel
+ maintained by FPF.
+
+EOF
+else
+    metapackage="securedrop-grsec"
+cat <<EOF >> debian/control
+
+Package: securedrop-grsec
+Section: admin
+Architecture: $debarch
+Depends: $packagename-$version, intel-microcode, amd64-microcode, paxctld
+Description: Metapackage providing a grsecurity-patched Linux kernel for use
+ with SecureDrop. Depends on the most recently built patched kernel maintained
+ by FPF. Package also includes sysctl and PaX flags calls for GRUB.
+
+EOF
+fi
+
+if is_enabled CONFIG_MODULES; then
+cat <<EOF >> debian/control
+
+Package: linux-headers-$version
+Architecture: $debarch
+Description: Linux kernel headers for $version on $debarch
+ This package provides kernel header files for $version on $debarch
+ .
+ This is useful for people who need to build external modules
+EOF
+fi
+fi
+
+if is_enabled CONFIG_DEBUG_INFO; then
+cat <<EOF >> debian/control
+
+Package: linux-image-$version-dbg
+Section: debug
+Architecture: $debarch
+Description: Linux kernel debugging symbols for $version
+ This package will come in handy if you need to debug the kernel. It provides
+ all the necessary debug symbols for the kernel and its modules.
+EOF
+fi
+
+cat <<EOF > debian/rules.vars
+ARCH := ${ARCH}
+KERNELRELEASE := ${KERNELRELEASE}
+EOF
+
+cp "${srctree}/scripts/package/debian/rules" debian/
+
+exit 0

scripts/rules-6.6

@@ -0,0 +1,37 @@
+#!/usr/bin/make -f
+# SPDX-License-Identifier: GPL-2.0-only
+
+include debian/rules.vars
+
+srctree ?= .
+
+ifneq (,$(filter-out parallel=1,$(filter parallel=%,$(DEB_BUILD_OPTIONS))))
+    NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
+    MAKEFLAGS += -j$(NUMJOBS)
+endif
+
+.PHONY: binary binary-indep binary-arch
+binary: binary-arch binary-indep
+binary-indep: build-indep
+binary-arch: build-arch
+	$(MAKE) -f $(srctree)/Makefile ARCH=$(ARCH) \
+	KERNELRELEASE=$(KERNELRELEASE) \
+	run-command KBUILD_RUN_COMMAND=+$(srctree)/scripts/package/builddeb
+
+.PHONY: build build-indep build-arch
+build: build-arch build-indep
+build-indep:
+build-arch:
+	$(MAKE) -f $(srctree)/Makefile ARCH=$(ARCH) \
+	KERNELRELEASE=$(KERNELRELEASE) \
+	$(shell $(srctree)/scripts/package/deb-build-option) \
+	olddefconfig all
+	sed -i s/#DEB_VERSION_UPSTREAM#/${version}/ debian/$metapackage/DEBIAN/postinst
+	chmod 775 debian/$metapackage/DEBIAN/postinst
+	dpkg-gencontrol -p$metapackage -P"debian/$metapackage"
+	dpkg-deb --root-owner-group --build "debian/$metapackage" ..
+
+.PHONY: clean
+clean:
+	rm -rf debian/files debian/linux-*
+	$(MAKE) -f $(srctree)/Makefile ARCH=$(ARCH) clean