Message ID | 20211004133548.2168392-1-marcelo.cerri@canonical.com |
---|---|
Headers | show |
Series | LP:#1945989 - Check for changes relevant for security certifications | expand |
On 04.10.21 15:35, Marcelo Henrique Cerri wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > Targetting Bionic and Focal because we only need that in LTS versions > later than B. Targetting Impish too for future LTSes. > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when one of a > security certification changes is added. > > [Where problems could occur] > > No kernels should be affected until we enable this check on each > one. Even when enabled, that only affects the kernel preparation and > not the resulting kernel. > > --- > Marcelo Henrique Cerri (2): > UBUNTU: [Packaging] Add a new fips-checks script > UBUNTU: [Packaging] Add fips-checks as part of finalchecks > > debian/rules.d/0-common-vars.mk | 3 + > debian/rules.d/1-maintainer.mk | 3 + > debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ > 3 files changed, 144 insertions(+) > create mode 100755 debian/scripts/misc/fips-checks > My concern would only be to be impacted on non-fips kernels which I cannot see. Acked-by: Stefan Bader <stefan.bader@canonical.com>
Applied to Bionic and Focal master-next. Thank you! -Kelsey On 2021-10-04 10:35:45 , Marcelo Henrique Cerri wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > Targetting Bionic and Focal because we only need that in LTS versions > later than B. Targetting Impish too for future LTSes. > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when one of a > security certification changes is added. > > [Where problems could occur] > > No kernels should be affected until we enable this check on each > one. Even when enabled, that only affects the kernel preparation and > not the resulting kernel. > > --- > Marcelo Henrique Cerri (2): > UBUNTU: [Packaging] Add a new fips-checks script > UBUNTU: [Packaging] Add fips-checks as part of finalchecks > > debian/rules.d/0-common-vars.mk | 3 + > debian/rules.d/1-maintainer.mk | 3 + > debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ > 3 files changed, 144 insertions(+) > create mode 100755 debian/scripts/misc/fips-checks > > -- > 2.25.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Mon, Oct 04, 2021 at 10:35:45AM -0300, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
On Mon, Oct 04, 2021 at 10:35:45AM -0300, Marcelo Henrique Cerri wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > Targetting Bionic and Focal because we only need that in LTS versions > later than B. Targetting Impish too for future LTSes. > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when one of a > security certification changes is added. > > [Where problems could occur] > > No kernels should be affected until we enable this check on each > one. Even when enabled, that only affects the kernel preparation and > not the resulting kernel. Applied also to unstable/5.15 for future LTSes. -Andrea