Message ID | 20231205183554.1077985-1-dimitri.ledkov@canonical.com |
---|---|
State | New |
Headers | show |
Series | [unstable/linux-signed] Remove arbitrary timestamp and filename from ARM64 signed linux-image | expand |
2023-12-05 19:36 CET, Dimitri John Ledkov: > BugLink: https://bugs.launchpad.net/bugs/2045684 > > $ file /boot/vmlinuz-6.6.0-14-generic > /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was > "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 > 18:54:57 2023, max compression, from Unix, original size modulo 2^32 > 56127880 > > Note that original filename and timestamp are encoded in the gzip > content header which is not reproducible and not roundtrip safe. This > make it difficult to do gymnastics to convert for linux > linux-unsgined, to linux-signed, to kernel.efi, and back and preserve > the same checksum or HMAC of the file, as needed by FIPS or just pure > curiosity to confirm that the kernel image is the same across all > image formats we ship. > > The fix is to use -n (--no-name) option to gzip to compress the file > without filename nor timestamp. > > $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new > /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max > compression, from Unix, original size modulo 2^32 56127880 > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > --- > debian/rules | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 01339d8348..236a1293d0 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -67,7 +67,7 @@ override_dh_auto_build: > vars="$${base}.efi.vars"; \ > [ -f "$$vars" ] && . "./$$vars"; \ > if [ "$$GZIP" = "1" ]; then \ > - gzip -9 "$$s"; \ > + gzip -9 -n "$$s"; \ > mv "$${s}.gz" "$$s"; \ > fi; \ > ); \ Acked-by: Agathe Porte <agathe.porte@canonical.com>
On Tue, 2023-12-05 at 18:35 +0000, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/2045684 > > $ file /boot/vmlinuz-6.6.0-14-generic > /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was > "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 > 18:54:57 2023, max compression, from Unix, original size modulo 2^32 > 56127880 > > Note that original filename and timestamp are encoded in the gzip > content header which is not reproducible and not roundtrip safe. This > make it difficult to do gymnastics to convert for linux > linux-unsgined, to linux-signed, to kernel.efi, and back and preserve > the same checksum or HMAC of the file, as needed by FIPS or just pure > curiosity to confirm that the kernel image is the same across all > image formats we ship. > > The fix is to use -n (--no-name) option to gzip to compress the file > without filename nor timestamp. > > $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new > /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max > compression, from Unix, original size modulo 2^32 56127880 > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > --- > debian/rules | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 01339d8348..236a1293d0 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -67,7 +67,7 @@ override_dh_auto_build: > vars="$${base}.efi.vars"; > \ > [ -f "$$vars" ] && . > "./$$vars"; \ > if [ "$$GZIP" = "1" ]; > then \ > - gzip -9 > "$$s"; \ > + gzip -9 -n > "$$s"; \ > mv "$${s}.gz" > "$$s"; \ > fi; > \ > ); > \ > -- > 2.34.1 > > Acked-by: Jose Ogando <jose.ogando@canonical.com>
On Tue, Dec 05, 2023 at 06:35:54PM +0000, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/2045684 > > $ file /boot/vmlinuz-6.6.0-14-generic > /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was > "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 > 18:54:57 2023, max compression, from Unix, original size modulo 2^32 > 56127880 > > Note that original filename and timestamp are encoded in the gzip > content header which is not reproducible and not roundtrip safe. This > make it difficult to do gymnastics to convert for linux > linux-unsgined, to linux-signed, to kernel.efi, and back and preserve > the same checksum or HMAC of the file, as needed by FIPS or just pure > curiosity to confirm that the kernel image is the same across all > image formats we ship. > > The fix is to use -n (--no-name) option to gzip to compress the file > without filename nor timestamp. > > $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new > /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max > compression, from Unix, original size modulo 2^32 56127880 > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Applied to noble/linux-unstable, thanks! -Andrea > --- > debian/rules | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/debian/rules b/debian/rules > index 01339d8348..236a1293d0 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -67,7 +67,7 @@ override_dh_auto_build: > vars="$${base}.efi.vars"; \ > [ -f "$$vars" ] && . "./$$vars"; \ > if [ "$$GZIP" = "1" ]; then \ > - gzip -9 "$$s"; \ > + gzip -9 -n "$$s"; \ > mv "$${s}.gz" "$$s"; \ > fi; \ > ); \ > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff --git a/debian/rules b/debian/rules index 01339d8348..236a1293d0 100755 --- a/debian/rules +++ b/debian/rules @@ -67,7 +67,7 @@ override_dh_auto_build: vars="$${base}.efi.vars"; \ [ -f "$$vars" ] && . "./$$vars"; \ if [ "$$GZIP" = "1" ]; then \ - gzip -9 "$$s"; \ + gzip -9 -n "$$s"; \ mv "$${s}.gz" "$$s"; \ fi; \ ); \
BugLink: https://bugs.launchpad.net/bugs/2045684 $ file /boot/vmlinuz-6.6.0-14-generic /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023, max compression, from Unix, original size modulo 2^32 56127880 Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux-unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship. The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp. $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression, from Unix, original size modulo 2^32 56127880 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)