From patchwork Tue Mar 26 18:52:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1916324 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V3zVD2194z1yWy for ; Wed, 27 Mar 2024 05:53:56 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rpBvf-0000NG-JM; Tue, 26 Mar 2024 18:53:47 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rpBvc-0000MQ-RT for kernel-team@lists.ubuntu.com; Tue, 26 Mar 2024 18:53:45 +0000 Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 8BA523F628 for ; Tue, 26 Mar 2024 18:53:44 +0000 (UTC) Received: by mail-pf1-f198.google.com with SMTP id d2e1a72fcca58-6e6c5b1377fso70089b3a.1 for ; Tue, 26 Mar 2024 11:53:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711479222; x=1712084022; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=65iKLJs/V945lzs427iJ1t0Yuocl6xd+24MOaT0DF1w=; b=c9o0ZThpHB9YnynF3zJnn/HPtZccwUcjeiyQTD9ueyhziVpDzwNzE9VnSULQxOivEq HCGLOZuigq+GeER+lA19+M5iplJzbPGemZdqn2McfAFQzrG5KMn6DfyXjdQ+Kzm967UG EWtmpdlCYbCFaEc+NFPwaZIwk3OdhINUKKgruM8vRj7S0emO8xINPaTRtD/35TPVzKv6 Gq7jGkSoQaPPIbryS7tnA1KQzXOslJCECtMFEfEqDR1FBUqGtSURnij3LdGdCNP+dCg8 p2PMhlpZrG6ZcanAn3+IZeKlEKUuJcFrjeHa0yy4vPgz5VE+BmFhf+udyEfcdZ/j9Pvh 7p0g== X-Gm-Message-State: AOJu0Yw3r+QHA6MmONkomDBJrvAGoOt+F6I/vy9ctnoVyrWzW4tPDENE 5JsYrqrwX7qo1xy8+TrlwWXzp8TnHIzAAgZHmmsFhApFnZpUAl+HAo+M8G+IaWQz6cP47y73hve bWnSZw0yHJoikS7wtirj0rQnd4e++2Upgn5J25Yj0kGw/zK1PYftQmNSu6xFKC4dsksCc+hWmft MCbJjEjeIGc4C/zmo= X-Received: by 2002:a05:6a00:190e:b0:6e6:88ee:8429 with SMTP id y14-20020a056a00190e00b006e688ee8429mr2841303pfi.11.1711479222135; Tue, 26 Mar 2024 11:53:42 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEP8Pthra0sV4DLHvrHdDi1Ghdv7+gn4s4evEr9uL1iK7NVEDg0fkOGcYOsx9RZJHWsqu9hTA== X-Received: by 2002:a05:6a00:190e:b0:6e6:88ee:8429 with SMTP id y14-20020a056a00190e00b006e688ee8429mr2841280pfi.11.1711479221663; Tue, 26 Mar 2024 11:53:41 -0700 (PDT) Received: from mingau.. ([2804:14c:14a:814f:26ca:d639:f005:d86a]) by smtp.gmail.com with ESMTPSA id h4-20020a056a00230400b006ea8ba9902asm6314514pfh.28.2024.03.26.11.53.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 11:53:40 -0700 (PDT) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 1/1] UBUNTU: [Packaging] Remove fips-checks script Date: Tue, 26 Mar 2024 15:52:38 -0300 Message-ID: <20240326185335.44175-2-magali.lemes@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240326185335.44175-1-magali.lemes@canonical.com> References: <20240326185335.44175-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2055083 This script is now part of `cranky` and there is no need for it to live in debian/ anymore, so remove it. Signed-off-by: Magali Lemes --- debian/rules.d/0-common-vars.mk | 3 - debian/rules.d/1-maintainer.mk | 3 - debian/scripts/misc/fips-checks | 138 -------------------------------- 3 files changed, 144 deletions(-) delete mode 100755 debian/scripts/misc/fips-checks diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk index 323d24549019..f532ab8687e8 100644 --- a/debian/rules.d/0-common-vars.mk +++ b/debian/rules.d/0-common-vars.mk @@ -218,9 +218,6 @@ do_flavour_header_package=true # DTBs do_dtbs=false -# FIPS check -do_fips_checks=false - # Support parallel= in DEB_BUILD_OPTIONS (see #209008) # # These 2 environment variables set the -j value of the kernel build. For example, diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk index 262b4717f3ac..88c13bb63b26 100644 --- a/debian/rules.d/1-maintainer.mk +++ b/debian/rules.d/1-maintainer.mk @@ -156,9 +156,6 @@ autoreconstruct: fi finalchecks: debian/control -ifeq ($(do_fips_checks),true) - $(DROOT)/scripts/misc/fips-checks -endif $(DROOT)/scripts/misc/final-checks "$(DEBIAN)" "$(prev_fullver)" diffupstream: diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks deleted file mode 100755 index 9dadd3939a62..000000000000 --- a/debian/scripts/misc/fips-checks +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/bash -eu -export LC_ALL=C.UTF-8 - -usage() { - cat << EOF -Usage: ${P:-$(basename "$0")} [-h|--help] - -Check if there are any FIPS relevant changes since the last -release. Any change that is identified should have a justification in -the justifications file or the check will fail. - -Optional arguments: - -h, --help Show this help message and exit. - -p, --previous Version to use as the previous base version. - -c, --current Version to use as the current base version. - -EOF -} - -prev_base_version= -curr_base_version= -crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* ) - -c_red='\033[0;31m' -c_green='\033[0;32m' -c_off='\033[0m' - -# Parse arguments -while [ "$#" -gt 0 ]; do - case "$1" in - -h|--help) - usage - exit 0 - ;; - -p|--previous) - shift - prev_base_version="$1" - ;; - -c|--current) - shift - curr_base_version="$1" - ;; - *) - usage - exit 1 - ;; - esac - shift -done - -DEBIAN= -# shellcheck disable=SC1091 -. debian/debian.env - -# Check if the "$DEBIAN" directory exists. -if [ ! -d "$DEBIAN" ]; then - echo "You must run this script from the top directory of this repository." - exit 1 -fi - -CONF="$DEBIAN/etc/update.conf" -if [ ! -f "$CONF" ]; then - echo "Missing file: $CONF" - exit 1 -fi -# shellcheck disable=SC1090 -. "$CONF" - -if [ "$DEBIAN_MASTER" = "" ]; then - echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment" - exit 1 -fi - -# Find the base kernel version use by the previous version -if [ -z "$prev_base_version" ]; then - offset=1 - # Loop through each entry of the current changelog, searching for an - # entry that refers to the master version used as base (ie a line - # containing "[ Ubuntu: 4.15.0-39.42 ]"): - while true; do - changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset") - if ! [ "$changes" ]; then - echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog" - exit 1 - fi - prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}') - [ "$prev_base_version" ] && break - offset=$(( offset + 1 )) - done - if [ -z "${prev_base_version}" ]; then - echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog" - exit 1 - fi -fi - -# Find the current base kernel version -if [ -z "$curr_base_version" ]; then - curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion) - if ! [ "$curr_base_version" ]; then - echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog" - exit 1 - fi -fi - -# Check base kernel tags -tag_prefix="Ubuntu-${DEBIAN_MASTER#debian.}-" -prev_tag="${tag_prefix}${prev_base_version}" -curr_tag="${tag_prefix}${curr_base_version}" -for tag in "$prev_tag" "$curr_tag"; do - if ! git rev-parse --verify "$tag" &> /dev/null; then - echo "Missing tag \"$tag\". Please fetch tags from base kernel." - exit 1 - fi -done - -# Check all the changes -fails=0 -justifications_file="$DEBIAN/fips.justifications" -justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true) -while read -r id; do - short_msg=$(git log --format=%s --max-count=1 "$id") - if echo "$justifications" | grep -q -x -F "$short_msg"; then - echo -e "${c_green}OK${c_off} | ${id::12} ${short_msg}" - continue - fi - echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}" - fails=$(( fails + 1 )) -done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}") - -echo -if [ "$fails" -gt 0 ]; then - echo "FIPS relevant changes were found without justification: ${fails} change(s)." - echo "Please, check the commits above and update the file \"${justifications_file}\"." - exit 1 -fi - -echo "Check completed without errors." -exit 0