[B,F,I,0/2] LP:#1945989 - Check for changes relevant for security certifications

Message ID	20211004133548.2168392-1-marcelo.cerri@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [B, F, I][PATCH 0/2] LP:#1945989 - Check for changes relevant for security certifications Date: Mon, 4 Oct 2021 10:35:45 -0300 Message-Id: <20211004133548.2168392-1-marcelo.cerri@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	LP:#1945989 - Check for changes relevant for security certifications \| expand [B,F,I,0/2] LP:#1945989 - Check for changes relevant for security certifications [B,F,I,1/2] UBUNTU: [Packaging] Add a new fips-checks script [B,2/2] UBUNTU: [Packaging] Add fips-checks as part of finalchecks

Message ID

20211004133548.2168392-1-marcelo.cerri@canonical.com

Headers

From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [B, F,
 I][PATCH 0/2] LP:#1945989 - Check for changes relevant for security
 certifications
Date: Mon,  4 Oct 2021 10:35:45 -0300
Message-Id: <20211004133548.2168392-1-marcelo.cerri@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

LP:#1945989 - Check for changes relevant for security certifications | expand

Message

Marcelo Henrique Cerri Oct. 4, 2021, 1:35 p.m. UTC

BugLink: https://bugs.launchpad.net/bugs/1945989

Targetting Bionic and Focal because we only need that in LTS versions
later than B. Targetting Impish too for future LTSes.

[Impact]

When producing a new version of some kernels, we need to check for
changes that might affect FIPS or other certs and justify why a commit
was kept or removed.

To simplify this process we can add an automated check that will abort
the kernel preparation and build when such changes exist without a
justification.

[Test Plan]

Check if the kernel preparation fails (cranky close) when one of a
security certification changes is added.

[Where problems could occur]

No kernels should be affected until we enable this check on each
one. Even when enabled, that only affects the kernel preparation and
not the resulting kernel.

---
Marcelo Henrique Cerri (2):
  UBUNTU: [Packaging] Add a new fips-checks script
  UBUNTU: [Packaging] Add fips-checks as part of finalchecks

 debian/rules.d/0-common-vars.mk |   3 +
 debian/rules.d/1-maintainer.mk  |   3 +
 debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
 3 files changed, 144 insertions(+)
 create mode 100755 debian/scripts/misc/fips-checks

Comments

Stefan Bader Oct. 5, 2021, 7:50 a.m. UTC | #1

On 04.10.21 15:35, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
> 
> Targetting Bionic and Focal because we only need that in LTS versions
> later than B. Targetting Impish too for future LTSes.
> 
> [Impact]
> 
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
> 
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
> 
> [Test Plan]
> 
> Check if the kernel preparation fails (cranky close) when one of a
> security certification changes is added.
> 
> [Where problems could occur]
> 
> No kernels should be affected until we enable this check on each
> one. Even when enabled, that only affects the kernel preparation and
> not the resulting kernel.
> 
> ---
> Marcelo Henrique Cerri (2):
>    UBUNTU: [Packaging] Add a new fips-checks script
>    UBUNTU: [Packaging] Add fips-checks as part of finalchecks
> 
>   debian/rules.d/0-common-vars.mk |   3 +
>   debian/rules.d/1-maintainer.mk  |   3 +
>   debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
>   3 files changed, 144 insertions(+)
>   create mode 100755 debian/scripts/misc/fips-checks
> 

My concern would only be to be impacted on non-fips kernels which I cannot see.

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Kelsey Skunberg Oct. 12, 2021, 10:51 p.m. UTC | #2

Applied to Bionic and Focal master-next. Thank you!

-Kelsey

On 2021-10-04 10:35:45 , Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
> 
> Targetting Bionic and Focal because we only need that in LTS versions
> later than B. Targetting Impish too for future LTSes.
> 
> [Impact]
> 
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
> 
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
> 
> [Test Plan]
> 
> Check if the kernel preparation fails (cranky close) when one of a
> security certification changes is added.
> 
> [Where problems could occur]
> 
> No kernels should be affected until we enable this check on each
> one. Even when enabled, that only affects the kernel preparation and
> not the resulting kernel.
> 
> ---
> Marcelo Henrique Cerri (2):
>   UBUNTU: [Packaging] Add a new fips-checks script
>   UBUNTU: [Packaging] Add fips-checks as part of finalchecks
> 
>  debian/rules.d/0-common-vars.mk |   3 +
>  debian/rules.d/1-maintainer.mk  |   3 +
>  debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
>  3 files changed, 144 insertions(+)
>  create mode 100755 debian/scripts/misc/fips-checks
> 
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Paolo Pisati Oct. 13, 2021, 12:53 p.m. UTC | #3

On Mon, Oct 04, 2021 at 10:35:45AM -0300, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989

Andrea Righi Oct. 26, 2021, 11:08 a.m. UTC | #4

On Mon, Oct 04, 2021 at 10:35:45AM -0300, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
> 
> Targetting Bionic and Focal because we only need that in LTS versions
> later than B. Targetting Impish too for future LTSes.
> 
> [Impact]
> 
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
> 
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
> 
> [Test Plan]
> 
> Check if the kernel preparation fails (cranky close) when one of a
> security certification changes is added.
> 
> [Where problems could occur]
> 
> No kernels should be affected until we enable this check on each
> one. Even when enabled, that only affects the kernel preparation and
> not the resulting kernel.

Applied also to unstable/5.15 for future LTSes.

-Andrea