public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename
@ 2023-07-18  9:10 Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
                   ` (8 more replies)
  0 siblings, 9 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

this series enables lockdown and module signing in our kernel build.

since that effectively means every kernel build is an ABI bump, it also
uses this opportunity to fold in the kernel meta packages into the
pve-kernel git repo and source package, since those packages now always
need to be bumped together anyway, instead of only most of the time.

because the old kernel meta packages had a higher number (8.x) than the kernel
packages themselves (6.2.16-Y), and the kernel package versioning is now shared
by the integrated meta packages (which would require an epoch to work for
upgrading), it also does the long-planned rename from 'pve-' prefix to
'proxmox-' prefix.

the actual kernel config change was tested by both Wolfgang and me (docs
incoming ;)), the rename only by me, I hope I haven't missed anything.

order of bumps:

pve-manager, proxmox-backup, pmg-api, proxmox-kernel-helper
 => only support for new package names, no deps on anything
pve-kernel
 => breaks/replaces old pve-kernel-meta packages since it takes them over
 => dependend on by product meta packages to ensure upgrade happens
proxmox-ve/poxmox-backup-meta/proxmox-mailgateway
 => depend on new kernel/headers meta packages (included)
 => possibly depend on bumped pve-manager/proxmox-backup-server/pmg-api (not)

only sent to pve-devel, obviously parts apply to PBS/PMG instead..




^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-25 15:06   ` Thomas Lamprecht
  2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
                   ` (7 subsequent siblings)
  8 siblings, 1 reply; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
the proxmox-mailgateway meta package could get a versioned dep on
pmg-api with this change, but it's not strictly required.

 src/PMG/API2/APT.pm       | 2 +-
 src/PMG/CLI/pmg7to8.pm    | 2 +-
 src/PMG/CLI/pmgupgrade.pm | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/PMG/API2/APT.pm b/src/PMG/API2/APT.pm
index 7fc7c29..bcd749b 100644
--- a/src/PMG/API2/APT.pm
+++ b/src/PMG/API2/APT.pm
@@ -789,7 +789,7 @@ __PACKAGE__->register_method({
 
 	my $aptver = $AptPkg::System::_system->versioning();
 	my $byver = sub { $aptver->compare($cache->{$b}->{CurrentVer}->{VerStr}, $cache->{$a}->{CurrentVer}->{VerStr}) };
-	push @list, sort $byver grep { /^pve-kernel-/ && $cache->{$_}->{CurrentState} eq 'Installed' } keys %$cache;
+	push @list, sort $byver grep { /^(?:pve|proxmox)-kernel-/ && $cache->{$_}->{CurrentState} eq 'Installed' } keys %$cache;
 
 	my @opt_pack = qw(
 	    ifupdown
diff --git a/src/PMG/CLI/pmg7to8.pm b/src/PMG/CLI/pmg7to8.pm
index 85e9f16..8cccde1 100644
--- a/src/PMG/CLI/pmg7to8.pm
+++ b/src/PMG/CLI/pmg7to8.pm
@@ -193,7 +193,7 @@ sub check_pmg_packages {
 	}
 
 	# FIXME: better differentiate between 6.2 from bullseye or bookworm
-	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'pve-kernel-6.2');
+	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'proxmox-kernel-6.2');
 	if (!$upgraded) {
 	    # we got a few that avoided 5.15 in cluster with mixed CPUs, so allow older too
 	    ($krunning, $kinstalled) = (qr/(?:5\.(?:13|15)|6\.2)/, 'pve-kernel-5.15');
diff --git a/src/PMG/CLI/pmgupgrade.pm b/src/PMG/CLI/pmgupgrade.pm
index 50fbcbd..56d9c87 100755
--- a/src/PMG/CLI/pmgupgrade.pm
+++ b/src/PMG/CLI/pmgupgrade.pm
@@ -66,7 +66,7 @@ __PACKAGE__->register_method ({
 
 	my $newkernel;
 	foreach my $p (@$oldlist) {
-	    if (($p->{Package} =~ m/^pve-kernel/) &&
+	    if (($p->{Package} =~ m/^(:?pve|proxmox)-kernel/) &&
 		!grep { $_->{Package} eq $p->{Package} } @$pkglist) {
 		$newkernel = 1;
 		last;
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH proxmox-backup] handle pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
                   ` (6 subsequent siblings)
  8 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
the meta package could get a versioned dep on the proxmox-backup-server
package containing this change, but it is not strictly required.

 docs/system-booting.rst | 2 +-
 src/api2/node/apt.rs    | 3 ++-
 src/bin/pbs2to3.rs      | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/system-booting.rst b/docs/system-booting.rst
index caf46303..b9631c9e 100644
--- a/docs/system-booting.rst
+++ b/docs/system-booting.rst
@@ -84,7 +84,7 @@ Setting up a New Partition for use as Synced ESP
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To format and initialize a partition as synced ESP, for example, after replacing a
-failed vdev in an rpool, ``proxmox-boot-tool`` from ``pve-kernel-helper`` can be used.
+failed vdev in an rpool, ``proxmox-boot-tool`` from ``proxmox-kernel-helper`` can be used.
 
 WARNING: the ``format`` command will format the ``<partition>``. Make sure to pass
 in the right device/partition!
diff --git a/src/api2/node/apt.rs b/src/api2/node/apt.rs
index f7328b81..8e4f150d 100644
--- a/src/api2/node/apt.rs
+++ b/src/api2/node/apt.rs
@@ -354,7 +354,8 @@ pub fn get_versions() -> Result<Vec<APTUpdateInfo>, Error> {
         }
     }
 
-    let is_kernel = |name: &str| name.starts_with("pve-kernel-");
+    let is_kernel =
+        |name: &str| name.starts_with("pve-kernel-") || name.starts_with("proxmox-kernel");
 
     let mut packages: Vec<APTUpdateInfo> = Vec::new();
     let pbs_packages = apt::list_installed_apt_packages(
diff --git a/src/bin/pbs2to3.rs b/src/bin/pbs2to3.rs
index 93191fb4..a052ae3a 100644
--- a/src/bin/pbs2to3.rs
+++ b/src/bin/pbs2to3.rs
@@ -131,7 +131,7 @@ impl Checker {
         let (krunning, kinstalled) = if self.upgraded {
             (
                 Regex::new(r"^6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$")?,
-                "pve-kernel-6.2",
+                "proxmox-kernel-6.2",
             )
         } else {
             (Regex::new(r"^(?:5\.(?:13|15)|6\.2)")?, "pve-kernel-5.15")
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH] switch to proxmox-kernel-6.2
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-18 13:00   ` [pve-devel] [PATCH proxmox-backup-meta] " Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
                   ` (5 subsequent siblings)
  8 siblings, 1 reply; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

and force upgrade of proxmox-kernel-helper with support for the new package
names.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    we could add a pbs-headers meta package here if desired
    the dep on proxmox-backup-server could get a minimum version

 debian/control | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/control b/debian/control
index 83b55f8..abbbaa3 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Architecture: all
 Depends: proxmox-archive-keyring,
          proxmox-backup-client,
          proxmox-backup-server,
-         proxmox-kernel-helper,
-         pve-kernel-6.2,
+         proxmox-kernel-helper (>= 8.0.3),
+         proxmox-kernel-6.2,
 Description: Proxmox Backup Server meta package
  This is a meta package which will install everything needed to run a
  Proxmox Backup server. This package also depends on the latest
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (2 preceding siblings ...)
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-18 13:00   ` [pve-devel] [PATCH proxmox-kernel-helper] " Fabian Grünbichler
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
                   ` (4 subsequent siblings)
  8 siblings, 1 reply; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

following the rename in our kernel packaging, otherwise the scripts here
wouldn't pick up the new kernels (except if currently booted).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 src/bin/proxmox-boot-tool             | 6 +++---
 src/proxmox-boot/functions            | 4 ++--
 src/proxmox-boot/proxmox-auto-removal | 3 ++-
 src/proxmox-boot/proxmox-boot-sync    | 2 +-
 4 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/bin/proxmox-boot-tool b/src/bin/proxmox-boot-tool
index 302974b..35fb721 100755
--- a/src/bin/proxmox-boot-tool
+++ b/src/bin/proxmox-boot-tool
@@ -361,7 +361,7 @@ help() {
 	echo ""
 	echo "USAGE: $0 init <partition>"
 	echo ""
-	echo "    initialize EFI system partition at <partition> for automatic synchronization of pve-kernels and their associated initrds."
+	echo "    initialize EFI system partition at <partition> for automatic synchronization of Proxmox kernels and their associated initrds."
 	echo ""
 	echo "USAGE: $0 reinit"
 	echo ""
@@ -377,12 +377,12 @@ help() {
 	echo ""
 	echo "USAGE: $0 kernel <add|remove> <kernel-version>"
 	echo ""
-	echo "    add/remove pve-kernel with ABI <kernel-version> to list of synced kernels, in addition to automatically selected ones."
+	echo "    add/remove proxmox-kernel with ABI <kernel-version> to list of synced kernels, in addition to automatically selected ones."
 	echo "    NOTE: you need to manually run 'refresh' once you're finished with adding/removing kernels from the list"
 	echo ""
 	echo "USAGE: $0 kernel pin <kernel-version> [--next-boot]"
 	echo ""
-	echo "    pin pve-kernel with ABI <kernel-version> as the default entry to be booted."
+	echo "    pin proxmox-kernel with ABI <kernel-version> as the default entry to be booted."
 	echo "    with --next-boot sets <kernel-version> only for the next boot."
 	echo "    NOTE: you need to manually run 'refresh' once you're finished with pinning kernels"
 	echo ""
diff --git a/src/proxmox-boot/functions b/src/proxmox-boot/functions
index 8193742..b55a164 100755
--- a/src/proxmox-boot/functions
+++ b/src/proxmox-boot/functions
@@ -30,8 +30,8 @@ kernel_keep_versions() {
 	eval "$(apt-config shell DPKG Dir::bin::dpkg/f)"
 	test -n "$DPKG" || DPKG="/usr/bin/dpkg"
 
-	list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+pve-kernel-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2; }' \
-	   | sed -e 's#^pve-kernel-##' -e 's#:[^:]\+ # #')"
+	list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(proxmox|pve)-kernel-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2; }' \
+	   | sed -e 's#^pve-kernel-##' -e 's#^proxmox-kernel-##' -e 's#:[^:]\+ # #')"
 
 	sorted_list="$(echo "$list" | sort --unique --reverse --version-sort)"
 
diff --git a/src/proxmox-boot/proxmox-auto-removal b/src/proxmox-boot/proxmox-auto-removal
index 8fd27ce..ef1b748 100755
--- a/src/proxmox-boot/proxmox-auto-removal
+++ b/src/proxmox-boot/proxmox-auto-removal
@@ -20,13 +20,14 @@ generate_apt_config() {
 	for kernel in $kernels; do
 		escaped_kver="$(echo "$kernel" |  sed -e 's#\([\.\+]\)#\\\1#g')"
 		echo "   \"^pve-kernel-${escaped_kver}$\";"
+		echo "   \"^proxmox-kernel-${escaped_kver}$\";"
 	done
 	echo '};'
 	if [ "${APT_AUTO_REMOVAL_KERNELS_DEBUG:-false}" = 'true' ]; then
 		cat <<-EOF
 		/* Debug information:
 		# dpkg list:
-		$(dpkg -l | grep -F 'pve-kernel' || true)
+		$(dpkg -l | grep -F -e 'pve-kernel' -e 'proxmox-kernel' || true)
 		# list of installed kernel packages:
 		$kernels
 		*/
diff --git a/src/proxmox-boot/proxmox-boot-sync b/src/proxmox-boot/proxmox-boot-sync
index 5bdd72e..3058fd9 100644
--- a/src/proxmox-boot/proxmox-boot-sync
+++ b/src/proxmox-boot/proxmox-boot-sync
@@ -4,7 +4,7 @@ set -e
 
 # Only run the refresh if update-initramfs has been called manually.
 # If this script is being run as part of a post-kernel-install hook,
-# this variable will be set to 1 and we do nothing, since our pve-kernel
+# this variable will be set to 1 and we do nothing, since our proxmox-kernel
 # hooks will update the ESPs all at once anyway.
 if [ -z "$INITRAMFS_TOOLS_KERNEL_HOOK" ]; then
 	/usr/sbin/proxmox-boot-tool refresh --hook 'zz-proxmox-boot'
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (3 preceding siblings ...)
  2023-07-18  9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-18 13:01   ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
  2023-07-25 15:12   ` [pve-devel] [PATCH] " Thomas Lamprecht
  2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
                   ` (3 subsequent siblings)
  8 siblings, 2 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

and force upgrade of proxmox-kernel-helper with support for the new package
names.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    we could rename pve-headers to pmg-headers and Provides/Replaces/Breaks pve-headers with a version guard here..
    the dependency on pmg-api could get a minimum version here

 debian/control | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian/control b/debian/control
index 106e795..4d4c3af 100644
--- a/debian/control
+++ b/debian/control
@@ -10,8 +10,8 @@ Architecture: all
 Depends: pmg-api (>= 8.0~),
          pmg-gui (>= 4.0~),
          proxmox-archive-keyring,
-         proxmox-kernel-helper,
-         pve-kernel-6.2,
+         proxmox-kernel-helper (>= 8.0.3),
+         proxmox-kernel-6.2,
          ${misc:Depends},
 Description: Proxmox Mail Gateway
  The Proxmox Mail Gateway is an easy to use Open Source SMTP proxy,
@@ -21,7 +21,7 @@ Description: Proxmox Mail Gateway
 
 Package: pve-headers
 Architecture: all
-Depends: pve-headers-6.2, ${misc:Depends},
+Depends: proxmox-headers-6.2, ${misc:Depends},
 Description: Default Proxmox Kernel Headers
  This is a virtual package which will install the kernel headers for the
  current default kernel.
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH proxmox-ve] switch to proxmox-kernel-6.2/proxmox-headers-6.2
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (4 preceding siblings ...)
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
@ 2023-07-18  9:10 ` Fabian Grünbichler
  2023-07-18  9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
                   ` (2 subsequent siblings)
  8 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:10 UTC (permalink / raw)
  To: pve-devel

and force upgrade of proxmox-kernel-helper with support for the new package
names.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
    the dependency on pve-manager could get a minimum version here

 debian/changelog | 6 ++++++
 debian/control   | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 423944e..25d4a35 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+proxmox-ve (8.0.2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+
+ -- Proxmox Support Team <support@proxmox.com>  Tue, 18 Jul 2023 10:19:32 +0200
+
 proxmox-ve (8.0.1) bookworm; urgency=medium
 
   * switch dependency over to proxmox-kernel-helper package (again)
diff --git a/debian/control b/debian/control
index 3b146ae..672af11 100644
--- a/debian/control
+++ b/debian/control
@@ -13,8 +13,8 @@ Depends: apt,
          openssh-client,
          openssh-server,
          proxmox-archive-keyring,
-         proxmox-kernel-helper,
-         pve-kernel-6.2,
+         proxmox-kernel-helper (>= 8.0.3),
+         proxmox-kernel-6.2,
          pve-manager,
          pve-qemu-kvm,
          qemu-server,
@@ -27,7 +27,7 @@ Description: Proxmox Virtual Environment
 
 Package: pve-headers
 Architecture: all
-Depends: pve-headers-6.2, ${misc:Depends},
+Depends: proxmox-headers-6.2, ${misc:Depends},
 Description: Default Proxmox VE Kernel Headers
  This is a metapackage which will install the kernel headers for the
  current default kernel.
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (5 preceding siblings ...)
  2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
@ 2023-07-18  9:11 ` Fabian Grünbichler
  2023-07-18 13:02   ` [pve-devel] [PATCH pve-kernel " Fabian Grünbichler
  2023-07-18  9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
  2023-07-18  9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
  8 siblings, 1 reply; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:11 UTC (permalink / raw)
  To: pve-devel; +Cc: Wolfgang Bumiller

this is required for secure boot support.

at build time, an ephemeral key pair will be generated and all built modules
will be signed with it. the private key is discarded, and the public key
embedded in the kernel image for signature validation at module load time.

these changes allow booting the built kernel in secure boot mode after manually
signing the kernel image with a trusted key (either MOK, or by enrolling custom
PK/KEK/db keys and signing the whole bootchain using them).

Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 debian/rules | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/debian/rules b/debian/rules
index 744e5cb..123c870 100755
--- a/debian/rules
+++ b/debian/rules
@@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
 -e CONFIG_SYSFB_SIMPLEFB \
 -e CONFIG_DRM_SIMPLEDRM \
--d CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG \
+-e CONFIG_MODULE_SIG_ALL \
+-e CONFIG_MODULE_SIG_FORMAT \
+--set-str CONFIG_MODULE_SIG_HASH sha512 \
+--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
+-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
+-e CONFIG_MODULE_SIG_SHA512 \
 -d CONFIG_MEMCG_DISABLED \
 -e CONFIG_MEMCG_SWAP_ENABLED \
 -e CONFIG_HYPERV \
@@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_UNWINDER_FRAME_POINTER \
 --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
 --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
--d CONFIG_SECURITY_LOCKDOWN_LSM \
--d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
---set-str CONFIG_LSM yama,integrity,apparmor \
+-e CONFIG_SECURITY_LOCKDOWN_LSM \
+-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
+--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
 -e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
@@ -163,6 +169,14 @@ endif
 
 	# strip debug info
 	find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
+
+	# sign modules using ephemeral, embedded key
+	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
+		find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
+			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
+		done; \
+		rm ./ubuntu-kernel/certs/signing_key.pem ; \
+	fi
 	# finalize
 	/sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
 	# Autogenerate blacklist for watchdog devices (see README)
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH 2/2] integrate meta packages and change prefix
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (6 preceding siblings ...)
  2023-07-18  9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
@ 2023-07-18  9:11 ` Fabian Grünbichler
  2023-07-18  9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
  8 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:11 UTC (permalink / raw)
  To: pve-devel

long overdue, and avoids the issue of the meta packages version going down
after being folded in from the pve-kernel-meta repository.

the ABI needs to be bumped for every published kernel package now that modules
are signed, else the booted kernel image containing the public part of the
ephemeral signing key, and the on-disk (potentially upgraded in-place) signed
module files can disagree, and module loading would fail.

not changed (yet): git repository name, pve-firmware

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---

Notes:
    we could also unify KREL and PKGREL now, since the two always need to be bumped together?
    
    not changed yet: git repo, pve-firmware package - those can be done as follow-ups though.
    
    we could possibly add a Breaks on all the outdated meta packages here, but I
    think just bumping coming from the other direction should be enough:
    
    proxmox-ve/proxmox-backup-meta/proxmox-mailgateway -> proxmox-kernel-6.2 -> updated proxmox-kernel-6.2.16-...
                                                       -> updated proxmox-kernel-helper
    pve-headers -> proxmox-kernel-6.2 -> updated proxmox-headers-6.2.16-..
    
    note that PMG calls the top-level headers meta package pve-headers as well, and
    PBS doesn't even have it in the first place. we could rename (and
    Breaks+Replaces+Provides) for PMG, and add it to PBS as well, if desired.
    
    changelog diff included because of the source package rename (easy to miss
    otherwise) - can of course be extended/.. if more changes are folded in before
    actually building and releasing!

 Makefile                                      | 28 +++++-----
 debian/changelog                              | 13 +++++
 debian/control.in                             | 52 ++++++++++++++-----
 ...ostinst.in => proxmox-headers.postinst.in} |  0
 debian/proxmox-kernel-meta.postinst.in        | 17 ++++++
 debian/proxmox-kernel-meta.postrm.in          | 19 +++++++
 ...postinst.in => proxmox-kernel.postinst.in} |  0
 ...nel.postrm.in => proxmox-kernel.postrm.in} |  0
 ...ernel.prerm.in => proxmox-kernel.prerm.in} |  0
 debian/rules                                  | 27 ++++++----
 debian/source/lintian-overrides               |  4 +-
 11 files changed, 121 insertions(+), 39 deletions(-)
 rename debian/{pve-headers.postinst.in => proxmox-headers.postinst.in} (100%)
 create mode 100755 debian/proxmox-kernel-meta.postinst.in
 create mode 100755 debian/proxmox-kernel-meta.postrm.in
 rename debian/{pve-kernel.postinst.in => proxmox-kernel.postinst.in} (100%)
 rename debian/{pve-kernel.postrm.in => proxmox-kernel.postrm.in} (100%)
 rename debian/{pve-kernel.prerm.in => proxmox-kernel.prerm.in} (100%)

diff --git a/Makefile b/Makefile
index b1ebe36..aba8c5c 100644
--- a/Makefile
+++ b/Makefile
@@ -1,22 +1,22 @@
 include /usr/share/dpkg/pkg-info.mk
 
-# also bump pve-kernel-meta if either of MAJ.MIN, PATCHLEVEL or KREL change
+# also bump proxmox-ve and PBS/PMG meta packages if the default MAJ.MIN version changes!
 KERNEL_MAJ=6
 KERNEL_MIN=2
 KERNEL_PATCHLEVEL=16
-# increment KREL if the ABI changes (abicheck target in debian/rules)
+# increment KREL for every published package release!
 # rebuild packages with new KREL and run 'make abiupdate'
-KREL=4
+KREL=5
 
-PKGREL=5
+PKGREL=6
 
 KERNEL_MAJMIN=$(KERNEL_MAJ).$(KERNEL_MIN)
 KERNEL_VER=$(KERNEL_MAJMIN).$(KERNEL_PATCHLEVEL)
 
 EXTRAVERSION=-$(KREL)-pve
 KVNAME=$(KERNEL_VER)$(EXTRAVERSION)
-PACKAGE=pve-kernel-$(KVNAME)
-HDRPACKAGE=pve-headers-$(KVNAME)
+PACKAGE=proxmox-kernel-$(KVNAME)
+HDRPACKAGE=proxmox-headers-$(KVNAME)
 
 ARCH=$(shell dpkg-architecture -qDEB_BUILD_ARCH)
 
@@ -31,7 +31,7 @@ GITVERSION:=$(shell git rev-parse HEAD)
 
 SKIPABI=0
 
-BUILD_DIR=pve-kernel-$(KERNEL_VER)
+BUILD_DIR=proxmox-kernel-$(KERNEL_VER)
 
 KERNEL_SRC=ubuntu-kernel
 KERNEL_SRC_SUBMODULE=submodules/$(KERNEL_SRC)
@@ -46,19 +46,21 @@ MODULE_DIRS=$(ZFSDIR)
 # exported to debian/rules via debian/rules.d/dirs.mk
 DIRS=KERNEL_SRC ZFSDIR MODULES
 
-DSC=pve-kernel_$(KERNEL_VER)-$(PKGREL).dsc
+DSC=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(PKGREL).dsc
 DST_DEB=$(PACKAGE)_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
+META_DEB=proxmox-kernel-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(PKGREL)_all.deb
 HDR_DEB=$(HDRPACKAGE)_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
-USR_HDR_DEB=pve-kernel-libc-dev_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
+META_HDR_DEB=proxmox-headers-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(PKGREL)_all.deb
+USR_HDR_DEB=proxmox-kernel-libc-dev_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
 LINUX_TOOLS_DEB=linux-tools-$(KERNEL_MAJMIN)_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
 LINUX_TOOLS_DBG_DEB=linux-tools-$(KERNEL_MAJMIN)-dbgsym_$(KERNEL_VER)-$(PKGREL)_$(ARCH).deb
 
-DEBS=$(DST_DEB) $(HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) # $(USR_HDR_DEB)
+DEBS=$(DST_DEB) $(META_DEB) $(HDR_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(LINUX_TOOLS_DBG_DEB) # $(USR_HDR_DEB)
 
 all: deb
 deb: $(DEBS)
 
-$(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
+$(META_DEB) $(META_HDR_DEB) $(LINUX_TOOLS_DEB) $(HDR_DEB): $(DST_DEB)
 $(DST_DEB): $(BUILD_DIR).prepared
 	cd $(BUILD_DIR); dpkg-buildpackage --jobs=auto -b -uc -us
 	lintian $(DST_DEB)
@@ -161,5 +163,5 @@ abi-tmp-$(KVNAME):
 
 .PHONY: clean
 clean:
-	rm -rf *~ pve-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
-	rm -f *.deb *.dsc *.changes *.buildinfo *.build pve-kernel*.tar.*
+	rm -rf *~ proxmox-kernel-[0-9]*/ *.prepared $(KERNEL_CFG_ORG)
+	rm -f *.deb *.dsc *.changes *.buildinfo *.build proxmox-kernel*.tar.*
diff --git a/debian/changelog b/debian/changelog
index 5046ab5..01f70c4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+proxmox-kernel-6.2 (6.2.16-6) bookworm; urgency=medium
+
+  * enable Secure Boot related KConfigs to allow manually signed booting
+
+  * merge proxmox-kernel-meta packaging into main kernel build, since every
+    package release entails an ABI bump now.
+
+  * bump ABI to 6.2.16-5
+
+  * change `pve-` prefix to `proxmox-`
+
+ -- Proxmox Support Team <support@proxmox.com>  Fri, 14 Jul 2023 19:53:39 +0200
+
 pve-kernel (6.2.16-5) bookworm; urgency=medium
 
   * kvm: xsave set: mask-out PKRU bit in xfeatures if vCPU has no support to
diff --git a/debian/control.in b/debian/control.in
index 2fbbf6b..6c10ddb 100644
--- a/debian/control.in
+++ b/debian/control.in
@@ -1,4 +1,4 @@
-Source: pve-kernel
+Source: proxmox-kernel-@KVMAJMIN@
 Section: devel
 Priority: optional
 Maintainer: Proxmox Support Team <support@proxmox.com>
@@ -31,7 +31,7 @@ Build-Depends: asciidoc-base,
                xmlto,
                zlib1g-dev,
                zstd,
-Build-Conflicts: pve-headers-@KVNAME@,
+Build-Conflicts: proxmox-headers-@KVNAME@,
 Standards-Version: 4.6.2
 Vcs-Git: git://git.proxmox.com/git/pve-kernel
 Vcs-Browser: https://git.proxmox.com/?p=pve-kernel.git
@@ -45,48 +45,74 @@ Description: Linux kernel version specific tools for version @KVMAJMIN@
  This package provides the architecture dependent parts for kernel
  version locked tools (such as perf and x86_energy_perf_policy)
 
-Package: pve-headers-@KVNAME@
+Package: proxmox-headers-@KVNAME@
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-headers-@KVNAME@-amd64,
+Provides: linux-headers-@KVNAME@-amd64, pve-headers-@KVNAME@
 Depends: ${misc:Depends},
 Description: Proxmox Kernel Headers
  This package contains the linux kernel headers
 
-Package: pve-kernel-@KVNAME@
+Package: proxmox-kernel-@KVNAME@
 Section: admin
 Priority: optional
 Architecture: any
-Provides: linux-image-@KVNAME@-amd64,
+Provides: linux-image-@KVNAME@-amd64, pve-kernel-@KVNAME@
 Suggests: pve-firmware,
 Depends: busybox, initramfs-tools | linux-initramfs-tool, ${misc:Depends},
 Recommends: grub-pc | grub-efi-amd64 | grub-efi-ia32 | grub-efi-arm64,
 Description: Proxmox Kernel Image
  This package contains the linux kernel and initial ramdisk used for booting
 
-Package: pve-kernel-@KVNAME@-dbgsym
+Package: proxmox-kernel-@KVNAME@-dbgsym
 Architecture: any
-Provides: linux-debug,
+Provides: linux-debug, pve-kernel-@KVNAME@-dbgsym
 Section: devel
 Priority: optional
-Build-Profiles: <pkg.pve-kernel.debug>
+Build-Profiles: <pkg.proxmox-kernel.debug>
 Depends: ${misc:Depends},
 Description: Proxmox Kernel debug image
  This package provides the kernel debug image for version @KVNAME@. The debug
  kernel image contained in this package is NOT meant to boot from - it is
  uncompressed, and unstripped, and suitable for use with crash/kdump-tools/..
- to analyze kernel crashes. This package also contains the pve-kernel modules
+ to analyze kernel crashes. This package also contains the proxmox-kernel modules
  in their unstripped version.
 
-Package: pve-kernel-libc-dev
+Package: proxmox-kernel-libc-dev
 Section: devel
 Priority: optional
 Architecture: any
-Provides: linux-libc-dev (=${binary:Version}),
+Provides: linux-libc-dev (=${binary:Version}), pve-kernel-libc-dev
 Conflicts: linux-libc-dev,
-Replaces: linux-libc-dev,
+Replaces: linux-libc-dev, pve-kernel-libc-dev
+Breaks: pve-kernel-libc-dev
 Depends: ${misc:Depends},
 Description: Linux support headers for userspace development
  This package provides userspaces headers from the Linux kernel.  These headers
  are used by the installed headers for GNU libc and other system libraries.
+
+Package: proxmox-headers-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-headers-amd64, linux-headers-generic, pve-headers-@KVMAJMIN@
+Breaks: pve-headers-@KVMAJMIN@
+Replaces: pve-headers-@KVMAJMIN@
+Priority: optional
+Depends: proxmox-headers-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Headers
+ This is a metapackage which will install the kernel headers
+ for the latest available proxmox kernel from the @KVMAJMIN@
+ series.
+
+Package: proxmox-kernel-@KVMAJMIN@
+Architecture: all
+Section: admin
+Provides: linux-image-amd64, linux-image-generic, wireguard-modules (=1.0.0), pve-kernel-@KVMAJMIN@
+Breaks: pve-kernel-@KVMAJMIN@
+Replaces: pve-kernel-@KVMAJMIN@
+Priority: optional
+Depends: pve-firmware, proxmox-kernel-@KVNAME@, ${misc:Depends},
+Description: Latest Proxmox Kernel Image
+ This is a metapackage which will install the latest available
+ proxmox kernel from the @KVMAJMIN@ series.
diff --git a/debian/pve-headers.postinst.in b/debian/proxmox-headers.postinst.in
similarity index 100%
rename from debian/pve-headers.postinst.in
rename to debian/proxmox-headers.postinst.in
diff --git a/debian/proxmox-kernel-meta.postinst.in b/debian/proxmox-kernel-meta.postinst.in
new file mode 100755
index 0000000..dd801d6
--- /dev/null
+++ b/debian/proxmox-kernel-meta.postinst.in
@@ -0,0 +1,17 @@
+#! /bin/sh
+
+# Abort if any command returns an error value 
+set -e
+
+case "$1" in
+  configure)
+    # setup kernel links for installation CD (rescue boot)
+    mkdir -p /boot/pve
+    ln -sf /boot/vmlinuz-@@KVNAME@@ /boot/pve/vmlinuz-@@KVMAJMIN@@
+    ln -sf /boot/initrd.img-@@KVNAME@@ /boot/pve/initrd.img-@@KVMAJMIN@@
+    ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/proxmox-kernel-meta.postrm.in b/debian/proxmox-kernel-meta.postrm.in
new file mode 100755
index 0000000..6935ad7
--- /dev/null
+++ b/debian/proxmox-kernel-meta.postrm.in
@@ -0,0 +1,19 @@
+#! /bin/sh
+
+# Abort if any command returns an error value
+set -e
+
+case "$1" in
+    purge|remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # remove kernel symlinks
+        rm -f /boot/pve/vmlinuz-@@KVNAME@@
+        rm -f /boot/pve/initrd.img-@@KVNAME@@
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+#DEBHELPER#
diff --git a/debian/pve-kernel.postinst.in b/debian/proxmox-kernel.postinst.in
similarity index 100%
rename from debian/pve-kernel.postinst.in
rename to debian/proxmox-kernel.postinst.in
diff --git a/debian/pve-kernel.postrm.in b/debian/proxmox-kernel.postrm.in
similarity index 100%
rename from debian/pve-kernel.postrm.in
rename to debian/proxmox-kernel.postrm.in
diff --git a/debian/pve-kernel.prerm.in b/debian/proxmox-kernel.prerm.in
similarity index 100%
rename from debian/pve-kernel.prerm.in
rename to debian/proxmox-kernel.prerm.in
diff --git a/debian/rules b/debian/rules
index 123c870..1b7cc16 100755
--- a/debian/rules
+++ b/debian/rules
@@ -16,10 +16,11 @@ MAKEFLAGS += $(subst parallel=,-j,$(filter parallel=%,${DEB_BUILD_OPTIONS}))
 CHANGELOG_DATE:=$(shell dpkg-parsechangelog -SDate)
 CHANGELOG_DATE_UTC_ISO := $(shell date -u -d '$(CHANGELOG_DATE)' +%Y-%m-%dT%H:%MZ)
 
-PVE_KERNEL_PKG=pve-kernel-$(KVNAME)
-PVE_DEBUG_KERNEL_PKG=pve-kernel-$(KVNAME)-dbgsym
-PVE_HEADER_PKG=pve-headers-$(KVNAME)
-PVE_USR_HEADER_PKG=pve-kernel-libc-dev
+PVE_KERNEL_PKG=proxmox-kernel-$(KVNAME)
+PVE_KERNEL_META_PKG=proxmox-kernel-$(KERNEL_MAJMIN)
+PVE_DEBUG_KERNEL_PKG=proxmox-kernel-$(KVNAME)-dbgsym
+PVE_HEADER_PKG=proxmox-headers-$(KVNAME)
+PVE_USR_HEADER_PKG=proxmox-kernel-libc-dev
 LINUX_TOOLS_PKG=linux-tools-$(KERNEL_MAJMIN)
 KERNEL_SRC_COPY=$(KERNEL_SRC)_tmp
 
@@ -98,13 +99,17 @@ PVE_CONFIG_OPTS= \
 -e CONFIG_PAGE_TABLE_ISOLATION
 
 debian/control: $(wildcard debian/*.in)
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/pve-kernel.prerm.in > debian/$(PVE_KERNEL_PKG).prerm
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/pve-kernel.postrm.in > debian/$(PVE_KERNEL_PKG).postrm
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/pve-kernel.postinst.in > debian/$(PVE_KERNEL_PKG).postinst
-	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/pve-headers.postinst.in > debian/$(PVE_HEADER_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.prerm.in > debian/$(PVE_KERNEL_PKG).prerm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postrm.in > debian/$(PVE_KERNEL_PKG).postrm
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel.postinst.in > debian/$(PVE_KERNEL_PKG).postinst
+	sed -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-headers.postinst.in > debian/$(PVE_HEADER_PKG).postinst
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postrm.in > debian/$(PVE_KERNEL_META_PKG).postrm
+	sed -e 's/@@KVMAJMIN@@/$(KERNEL_MAJMIN)/g' -e 's/@@KVNAME@@/$(KVNAME)/g' < debian/proxmox-kernel-meta.postinst.in > debian/$(PVE_KERNEL_META_PKG).postinst
 	chmod +x debian/$(PVE_KERNEL_PKG).prerm
 	chmod +x debian/$(PVE_KERNEL_PKG).postrm
 	chmod +x debian/$(PVE_KERNEL_PKG).postinst
+	chmod +x debian/$(PVE_KERNEL_META_PKG).postrm
+	chmod +x debian/$(PVE_KERNEL_META_PKG).postinst
 	chmod +x debian/$(PVE_HEADER_PKG).postinst
 	sed -e 's/@KVNAME@/$(KVNAME)/g' -e 's/@KVMAJMIN@/$(KERNEL_MAJMIN)/g' < debian/control.in > debian/control
 
@@ -154,10 +159,10 @@ binary: install
 	# remove firmware
 	rm -rf debian/$(PVE_KERNEL_PKG)/lib/firmware
 
-ifeq ($(filter pkg.pve-kernel.debug,$(DEB_BUILD_PROFILES)),)
-	echo "'pkg.pve-kernel.debug' build profile disabled, skipping -dbgsym creation"
+ifeq ($(filter pkg.proxmox-kernel.debug,$(DEB_BUILD_PROFILES)),)
+	echo "'pkg.proxmox-kernel.debug' build profile disabled, skipping -dbgsym creation"
 else
-	echo "'pkg.pve-kernel.debug' build profile enabled, creating -dbgsym contents"
+	echo "'pkg.proxmox-kernel.debug' build profile enabled, creating -dbgsym contents"
 	mkdir -p debian/$(PVE_DEBUG_KERNEL_PKG)/usr/lib/debug/lib/modules/$(KVNAME)
 	mkdir debian/$(PVE_DEBUG_KERNEL_PKG)/usr/lib/debug/boot
 	install -m 644 $(KERNEL_SRC)/vmlinux debian/$(PVE_DEBUG_KERNEL_PKG)/usr/lib/debug/boot/vmlinux-$(KVNAME)
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
index 792a6ca..053cb04 100644
--- a/debian/source/lintian-overrides
+++ b/debian/source/lintian-overrides
@@ -1,2 +1,2 @@
-pve-kernel source: debian-control-has-dbgsym-package (in section for pve-kernel-*-pve-dbgsym) Package [debian/control:*]
-pve-kernel source: license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
+proxmox-kernel source: debian-control-has-dbgsym-package (in section for proxmox-kernel-*-pve-dbgsym) Package [debian/control:*]
+proxmox-kernel source: license-problem-gfdl-invariants invariant part is: with the :ref:`invariant sections <fdl-invariant>` being list their titles, with the :ref:`front-cover texts <fdl-cover-texts>` being list, and with the :ref:`back-cover texts <fdl-cover-texts>` being list [ubuntu-kernel/Documentation/userspace-api/media/fdl-appendix.rst]
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
                   ` (7 preceding siblings ...)
  2023-07-18  9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
@ 2023-07-18  9:11 ` Fabian Grünbichler
  8 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18  9:11 UTC (permalink / raw)
  To: pve-devel

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
proxmox-ve could get a versioned dep on pve-manager with this change
included, but it's not strictly required.

 PVE/API2/APT.pm    | 2 +-
 PVE/CLI/pve7to8.pm | 2 +-
 bin/pveupgrade     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/PVE/API2/APT.pm b/PVE/API2/APT.pm
index 6694dbeb6..f73535e15 100644
--- a/PVE/API2/APT.pm
+++ b/PVE/API2/APT.pm
@@ -789,7 +789,7 @@ __PACKAGE__->register_method({
 
 	my $aptver = $AptPkg::System::_system->versioning();
 	my $byver = sub { $aptver->compare($cache->{$b}->{CurrentVer}->{VerStr}, $cache->{$a}->{CurrentVer}->{VerStr}) };
-	push @list, sort $byver grep { /^pve-kernel-/ && $cache->{$_}->{CurrentState} eq 'Installed' } keys %$cache;
+	push @list, sort $byver grep { /^(?:pve|proxmox)-kernel-/ && $cache->{$_}->{CurrentState} eq 'Installed' } keys %$cache;
 
         my @opt_pack = qw(
 	    ceph
diff --git a/PVE/CLI/pve7to8.pm b/PVE/CLI/pve7to8.pm
index 5ba738372..ff8e6045f 100644
--- a/PVE/CLI/pve7to8.pm
+++ b/PVE/CLI/pve7to8.pm
@@ -204,7 +204,7 @@ sub check_pve_packages {
 	}
 
 	# FIXME: better differentiate between 6.2 from bullseye or bookworm
-	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'pve-kernel-6.2');
+	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'proxmox-kernel-6.2');
 	if (!$upgraded) {
 	    # we got a few that avoided 5.15 in cluster with mixed CPUs, so allow older too
 	    ($krunning, $kinstalled) = (qr/(?:5\.(?:13|15)|6\.2)/, 'pve-kernel-5.15');
diff --git a/bin/pveupgrade b/bin/pveupgrade
index 0ce01824d..2b7e0248d 100755
--- a/bin/pveupgrade
+++ b/bin/pveupgrade
@@ -61,7 +61,7 @@ if (!$st || (time() - $st->mtime) > (3*24*3600)) {
 
     my $newkernel;
     foreach my $p (@$oldlist) {
-	if (($p->{Package} =~ m/^pve-kernel/) && 
+	if (($p->{Package} =~ m/^(:?pve|proxmox)-kernel/) && 
 	    !grep { $_->{Package} eq $p->{Package} } @$pkglist) {
 	    $newkernel = 1;
 	    last;
-- 
2.39.2





^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH proxmox-backup-meta] switch to proxmox-kernel-6.2
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
@ 2023-07-18 13:00   ` Fabian Grünbichler
  0 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18 13:00 UTC (permalink / raw)
  To: Proxmox VE development discussion

sorry for the missing subject prefix, this one is for
proxmox-backup-meta

On July 18, 2023 11:10 am, Fabian Grünbichler wrote:
> and force upgrade of proxmox-kernel-helper with support for the new package
> names.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> 
> Notes:
>     we could add a pbs-headers meta package here if desired
>     the dep on proxmox-backup-server could get a minimum version
> 
>  debian/control | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/debian/control b/debian/control
> index 83b55f8..abbbaa3 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -10,8 +10,8 @@ Architecture: all
>  Depends: proxmox-archive-keyring,
>           proxmox-backup-client,
>           proxmox-backup-server,
> -         proxmox-kernel-helper,
> -         pve-kernel-6.2,
> +         proxmox-kernel-helper (>= 8.0.3),
> +         proxmox-kernel-6.2,
>  Description: Proxmox Backup Server meta package
>   This is a meta package which will install everything needed to run a
>   Proxmox Backup server. This package also depends on the latest
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH proxmox-kernel-helper] pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
@ 2023-07-18 13:00   ` Fabian Grünbichler
  0 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18 13:00 UTC (permalink / raw)
  To: Proxmox VE development discussion

and this one for proxmox-kernel-helper

On July 18, 2023 11:10 am, Fabian Grünbichler wrote:
> following the rename in our kernel packaging, otherwise the scripts here
> wouldn't pick up the new kernels (except if currently booted).
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  src/bin/proxmox-boot-tool             | 6 +++---
>  src/proxmox-boot/functions            | 4 ++--
>  src/proxmox-boot/proxmox-auto-removal | 3 ++-
>  src/proxmox-boot/proxmox-boot-sync    | 2 +-
>  4 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/src/bin/proxmox-boot-tool b/src/bin/proxmox-boot-tool
> index 302974b..35fb721 100755
> --- a/src/bin/proxmox-boot-tool
> +++ b/src/bin/proxmox-boot-tool
> @@ -361,7 +361,7 @@ help() {
>  	echo ""
>  	echo "USAGE: $0 init <partition>"
>  	echo ""
> -	echo "    initialize EFI system partition at <partition> for automatic synchronization of pve-kernels and their associated initrds."
> +	echo "    initialize EFI system partition at <partition> for automatic synchronization of Proxmox kernels and their associated initrds."
>  	echo ""
>  	echo "USAGE: $0 reinit"
>  	echo ""
> @@ -377,12 +377,12 @@ help() {
>  	echo ""
>  	echo "USAGE: $0 kernel <add|remove> <kernel-version>"
>  	echo ""
> -	echo "    add/remove pve-kernel with ABI <kernel-version> to list of synced kernels, in addition to automatically selected ones."
> +	echo "    add/remove proxmox-kernel with ABI <kernel-version> to list of synced kernels, in addition to automatically selected ones."
>  	echo "    NOTE: you need to manually run 'refresh' once you're finished with adding/removing kernels from the list"
>  	echo ""
>  	echo "USAGE: $0 kernel pin <kernel-version> [--next-boot]"
>  	echo ""
> -	echo "    pin pve-kernel with ABI <kernel-version> as the default entry to be booted."
> +	echo "    pin proxmox-kernel with ABI <kernel-version> as the default entry to be booted."
>  	echo "    with --next-boot sets <kernel-version> only for the next boot."
>  	echo "    NOTE: you need to manually run 'refresh' once you're finished with pinning kernels"
>  	echo ""
> diff --git a/src/proxmox-boot/functions b/src/proxmox-boot/functions
> index 8193742..b55a164 100755
> --- a/src/proxmox-boot/functions
> +++ b/src/proxmox-boot/functions
> @@ -30,8 +30,8 @@ kernel_keep_versions() {
>  	eval "$(apt-config shell DPKG Dir::bin::dpkg/f)"
>  	test -n "$DPKG" || DPKG="/usr/bin/dpkg"
>  
> -	list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+pve-kernel-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2; }' \
> -	   | sed -e 's#^pve-kernel-##' -e 's#:[^:]\+ # #')"
> +	list="$("${DPKG}" -l | awk '/^[ih][^nc][ ]+(proxmox|pve)-kernel-[0-9]+\./ && $2 !~ /-dbg(:.*)?$/ && $2 !~ /-dbgsym(:.*)?$/ { print $2; }' \
> +	   | sed -e 's#^pve-kernel-##' -e 's#^proxmox-kernel-##' -e 's#:[^:]\+ # #')"
>  
>  	sorted_list="$(echo "$list" | sort --unique --reverse --version-sort)"
>  
> diff --git a/src/proxmox-boot/proxmox-auto-removal b/src/proxmox-boot/proxmox-auto-removal
> index 8fd27ce..ef1b748 100755
> --- a/src/proxmox-boot/proxmox-auto-removal
> +++ b/src/proxmox-boot/proxmox-auto-removal
> @@ -20,13 +20,14 @@ generate_apt_config() {
>  	for kernel in $kernels; do
>  		escaped_kver="$(echo "$kernel" |  sed -e 's#\([\.\+]\)#\\\1#g')"
>  		echo "   \"^pve-kernel-${escaped_kver}$\";"
> +		echo "   \"^proxmox-kernel-${escaped_kver}$\";"
>  	done
>  	echo '};'
>  	if [ "${APT_AUTO_REMOVAL_KERNELS_DEBUG:-false}" = 'true' ]; then
>  		cat <<-EOF
>  		/* Debug information:
>  		# dpkg list:
> -		$(dpkg -l | grep -F 'pve-kernel' || true)
> +		$(dpkg -l | grep -F -e 'pve-kernel' -e 'proxmox-kernel' || true)
>  		# list of installed kernel packages:
>  		$kernels
>  		*/
> diff --git a/src/proxmox-boot/proxmox-boot-sync b/src/proxmox-boot/proxmox-boot-sync
> index 5bdd72e..3058fd9 100644
> --- a/src/proxmox-boot/proxmox-boot-sync
> +++ b/src/proxmox-boot/proxmox-boot-sync
> @@ -4,7 +4,7 @@ set -e
>  
>  # Only run the refresh if update-initramfs has been called manually.
>  # If this script is being run as part of a post-kernel-install hook,
> -# this variable will be set to 1 and we do nothing, since our pve-kernel
> +# this variable will be set to 1 and we do nothing, since our proxmox-kernel
>  # hooks will update the ESPs all at once anyway.
>  if [ -z "$INITRAMFS_TOOLS_KERNEL_HOOK" ]; then
>  	/usr/sbin/proxmox-boot-tool refresh --hook 'zz-proxmox-boot'
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH proxmox-mailgateway] switch to proxmox-kernel-6.2/proxmox-headers-6.2
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
@ 2023-07-18 13:01   ` Fabian Grünbichler
  2023-07-25 15:12   ` [pve-devel] [PATCH] " Thomas Lamprecht
  1 sibling, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18 13:01 UTC (permalink / raw)
  To: Proxmox VE development discussion

this one's for proxmox-mailgateway

On July 18, 2023 11:10 am, Fabian Grünbichler wrote:
> and force upgrade of proxmox-kernel-helper with support for the new package
> names.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> 
> Notes:
>     we could rename pve-headers to pmg-headers and Provides/Replaces/Breaks pve-headers with a version guard here..
>     the dependency on pmg-api could get a minimum version here
> 
>  debian/control | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/debian/control b/debian/control
> index 106e795..4d4c3af 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -10,8 +10,8 @@ Architecture: all
>  Depends: pmg-api (>= 8.0~),
>           pmg-gui (>= 4.0~),
>           proxmox-archive-keyring,
> -         proxmox-kernel-helper,
> -         pve-kernel-6.2,
> +         proxmox-kernel-helper (>= 8.0.3),
> +         proxmox-kernel-6.2,
>           ${misc:Depends},
>  Description: Proxmox Mail Gateway
>   The Proxmox Mail Gateway is an easy to use Open Source SMTP proxy,
> @@ -21,7 +21,7 @@ Description: Proxmox Mail Gateway
>  
>  Package: pve-headers
>  Architecture: all
> -Depends: pve-headers-6.2, ${misc:Depends},
> +Depends: proxmox-headers-6.2, ${misc:Depends},
>  Description: Default Proxmox Kernel Headers
>   This is a virtual package which will install the kernel headers for the
>   current default kernel.
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH pve-kernel 1/2] fix #4831: build: sign modules and enable lockdown
  2023-07-18  9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
@ 2023-07-18 13:02   ` Fabian Grünbichler
  0 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-18 13:02 UTC (permalink / raw)
  To: Proxmox VE development discussion; +Cc: Wolfgang Bumiller

and this one and 2/2 are obviously for pve-kernel :-/ fixed up the git
settings so that it doesn't happen again..

On July 18, 2023 11:11 am, Fabian Grünbichler wrote:
> this is required for secure boot support.
> 
> at build time, an ephemeral key pair will be generated and all built modules
> will be signed with it. the private key is discarded, and the public key
> embedded in the kernel image for signature validation at module load time.
> 
> these changes allow booting the built kernel in secure boot mode after manually
> signing the kernel image with a trusted key (either MOK, or by enrolling custom
> PK/KEK/db keys and signing the whole bootchain using them).
> 
> Tested-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
>  debian/rules | 22 ++++++++++++++++++----
>  1 file changed, 18 insertions(+), 4 deletions(-)
> 
> diff --git a/debian/rules b/debian/rules
> index 744e5cb..123c870 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -53,7 +53,13 @@ PVE_CONFIG_OPTS= \
>  -e CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE \
>  -e CONFIG_SYSFB_SIMPLEFB \
>  -e CONFIG_DRM_SIMPLEDRM \
> --d CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG \
> +-e CONFIG_MODULE_SIG_ALL \
> +-e CONFIG_MODULE_SIG_FORMAT \
> +--set-str CONFIG_MODULE_SIG_HASH sha512 \
> +--set-str CONFIG_MODULE_SIG_KEY certs/signing_key.pem \
> +-e CONFIG_MODULE_SIG_KEY_TYPE_RSA \
> +-e CONFIG_MODULE_SIG_SHA512 \
>  -d CONFIG_MEMCG_DISABLED \
>  -e CONFIG_MEMCG_SWAP_ENABLED \
>  -e CONFIG_HYPERV \
> @@ -86,9 +92,9 @@ PVE_CONFIG_OPTS= \
>  -e CONFIG_UNWINDER_FRAME_POINTER \
>  --set-str CONFIG_SYSTEM_TRUSTED_KEYS ""\
>  --set-str CONFIG_SYSTEM_REVOCATION_KEYS ""\
> --d CONFIG_SECURITY_LOCKDOWN_LSM \
> --d CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> ---set-str CONFIG_LSM yama,integrity,apparmor \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM \
> +-e CONFIG_SECURITY_LOCKDOWN_LSM_EARLY \
> +--set-str CONFIG_LSM lockdown,yama,integrity,apparmor \
>  -e CONFIG_PAGE_TABLE_ISOLATION
>  
>  debian/control: $(wildcard debian/*.in)
> @@ -163,6 +169,14 @@ endif
>  
>  	# strip debug info
>  	find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do strip --strip-debug "$$f"; done
> +
> +	# sign modules using ephemeral, embedded key
> +	if grep -q CONFIG_MODULE_SIG=y ubuntu-kernel/.config ; then \
> +		find debian/$(PVE_KERNEL_PKG)/lib/modules -name \*.ko -print | while read f ; do \
> +			./ubuntu-kernel/scripts/sign-file sha512 ./ubuntu-kernel/certs/signing_key.pem ubuntu-kernel/certs/signing_key.x509 "$$f" ; \
> +		done; \
> +		rm ./ubuntu-kernel/certs/signing_key.pem ; \
> +	fi
>  	# finalize
>  	/sbin/depmod -b debian/$(PVE_KERNEL_PKG)/ $(KVNAME)
>  	# Autogenerate blacklist for watchdog devices (see README)
> -- 
> 2.39.2
> 
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename
  2023-07-18  9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
@ 2023-07-25 15:06   ` Thomas Lamprecht
  2023-07-26  7:34     ` Fabian Grünbichler
  0 siblings, 1 reply; 18+ messages in thread
From: Thomas Lamprecht @ 2023-07-25 15:06 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

On 18/07/2023 11:10, Fabian Grünbichler wrote:

> diff --git a/src/PMG/CLI/pmg7to8.pm b/src/PMG/CLI/pmg7to8.pm
> index 85e9f16..8cccde1 100644
> --- a/src/PMG/CLI/pmg7to8.pm
> +++ b/src/PMG/CLI/pmg7to8.pm
> @@ -193,7 +193,7 @@ sub check_pmg_packages {
>  	}
>  
>  	# FIXME: better differentiate between 6.2 from bullseye or bookworm
> -	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'pve-kernel-6.2');
> +	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'proxmox-kernel-6.2');

this looses backwards compat though?

Makes update harder as we need to coordinate closely moving packages around..
Same for PBS and PVE.




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2
  2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
  2023-07-18 13:01   ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
@ 2023-07-25 15:12   ` Thomas Lamprecht
  2023-07-26  7:25     ` Fabian Grünbichler
  1 sibling, 1 reply; 18+ messages in thread
From: Thomas Lamprecht @ 2023-07-25 15:12 UTC (permalink / raw)
  To: Proxmox VE development discussion, Fabian Grünbichler

On 18/07/2023 11:10, Fabian Grünbichler wrote:
> and force upgrade of proxmox-kernel-helper with support for the new package
> names.
> 
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> 
> Notes:
>     we could rename pve-headers to pmg-headers and Provides/Replaces/Breaks pve-headers with a version guard here..

Or add a new source package providing a proxmox-default-kernel and
proxmox-default-kernel-headers meta packages. We already change the
kernel in lock-step for all products, and would still have some more
specific timing control through how or when the package gets moved
along in each repo.




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2
  2023-07-25 15:12   ` [pve-devel] [PATCH] " Thomas Lamprecht
@ 2023-07-26  7:25     ` Fabian Grünbichler
  0 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-26  7:25 UTC (permalink / raw)
  To: Proxmox VE development discussion, Thomas Lamprecht

On July 25, 2023 5:12 pm, Thomas Lamprecht wrote:
> On 18/07/2023 11:10, Fabian Grünbichler wrote:
>> and force upgrade of proxmox-kernel-helper with support for the new package
>> names.
>> 
>> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
>> ---
>> 
>> Notes:
>>     we could rename pve-headers to pmg-headers and Provides/Replaces/Breaks pve-headers with a version guard here..
> 
> Or add a new source package providing a proxmox-default-kernel and
> proxmox-default-kernel-headers meta packages. We already change the
> kernel in lock-step for all products, and would still have some more
> specific timing control through how or when the package gets moved
> along in each repo.
> 

yes, that would also work! 

I can send follow-up patches for the three meta packages that switch to
that (and create the new meta-meta package/repo ;))




^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename
  2023-07-25 15:06   ` Thomas Lamprecht
@ 2023-07-26  7:34     ` Fabian Grünbichler
  0 siblings, 0 replies; 18+ messages in thread
From: Fabian Grünbichler @ 2023-07-26  7:34 UTC (permalink / raw)
  To: Proxmox VE development discussion, Thomas Lamprecht

On July 25, 2023 5:06 pm, Thomas Lamprecht wrote:
> On 18/07/2023 11:10, Fabian Grünbichler wrote:
> 
>> diff --git a/src/PMG/CLI/pmg7to8.pm b/src/PMG/CLI/pmg7to8.pm
>> index 85e9f16..8cccde1 100644
>> --- a/src/PMG/CLI/pmg7to8.pm
>> +++ b/src/PMG/CLI/pmg7to8.pm
>> @@ -193,7 +193,7 @@ sub check_pmg_packages {
>>  	}
>>  
>>  	# FIXME: better differentiate between 6.2 from bullseye or bookworm
>> -	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'pve-kernel-6.2');
>> +	my ($krunning, $kinstalled) = (qr/6\.(?:2\.(?:[2-9]\d+|1[6-8]|1\d\d+)|5)[^~]*$/, 'proxmox-kernel-6.2');
> 
> this looses backwards compat though?
> 
> Makes update harder as we need to coordinate closely moving packages around..
> Same for PBS and PVE.

this ('$kinstalled') is the package that should be installed after the
upgrade has happened (for the non-upgraded case, we check for
pve-kernel-5.15). technically it means that yes, we should move
proxmox-mailgateway (which transitively depends on the renamed kernel
pacakges) and pmg-api at the same time through the repos.

that's why I noted that

> the proxmox-mailgateway meta package could get a versioned dep on
> pmg-api with this change, but it's not strictly required.

in this patch (and the other similar ones for their respective meta
package).

the only thing that breaks if we don't do that is this check here
complaining if
- pmg-api moved faster than the renamed kernel packages (or for some
  reason, a partial upgrade was done)
- *and* the running kernel version is an unexpected one (upgraded, but not
  yet rebooted, or some other non-standard setup)

it still rightfully complains, but with the wrong message..




^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2023-07-26  7:34 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-18  9:10 [pve-devel] [PATCH pve-kernel++ 0/9] secure boot improvements, kernel packages rename Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH pmg-api] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-25 15:06   ` Thomas Lamprecht
2023-07-26  7:34     ` Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-backup] " Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2 Fabian Grünbichler
2023-07-18 13:00   ` [pve-devel] [PATCH proxmox-backup-meta] " Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH] pve-kernel -> proxmox-kernel rename Fabian Grünbichler
2023-07-18 13:00   ` [pve-devel] [PATCH proxmox-kernel-helper] " Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH] switch to proxmox-kernel-6.2/proxmox-headers-6.2 Fabian Grünbichler
2023-07-18 13:01   ` [pve-devel] [PATCH proxmox-mailgateway] " Fabian Grünbichler
2023-07-25 15:12   ` [pve-devel] [PATCH] " Thomas Lamprecht
2023-07-26  7:25     ` Fabian Grünbichler
2023-07-18  9:10 ` [pve-devel] [PATCH proxmox-ve] " Fabian Grünbichler
2023-07-18  9:11 ` [pve-devel] [PATCH 1/2] fix #4831: build: sign modules and enable lockdown Fabian Grünbichler
2023-07-18 13:02   ` [pve-devel] [PATCH pve-kernel " Fabian Grünbichler
2023-07-18  9:11 ` [pve-devel] [PATCH 2/2] integrate meta packages and change prefix Fabian Grünbichler
2023-07-18  9:11 ` [pve-devel] [PATCH manager] handle pve-kernel -> proxmox-kernel rename Fabian Grünbichler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal