| Message ID | 20230831160511.495067-1-magali.lemes@canonical.com |
|---|---|
| Headers | show |
| Series | UBUNTU: [Packaging] Check for relevant changes for security certifications | expand |
On 31/08/2023 18:05, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when any of the files > specified by `crypto_files` is changed. > > [Where problems could occur] > > No kernels should be affected unless we enable this check by setting > `do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is > already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable > is set to true, that only affects the kernel preparation and not the > resulting kernel. > > Marcelo Henrique Cerri (1): > UBUNTU: [Packaging] Add a new fips-checks script > > debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ > 1 file changed, 138 insertions(+) > create mode 100755 debian/scripts/misc/fips-checks > LGMT, but what about lunar? Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 8/31/23 10:05 AM, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when any of the files > specified by `crypto_files` is changed. > > [Where problems could occur] > > No kernels should be affected unless we enable this check by setting > `do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is > already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable > is set to true, that only affects the kernel preparation and not the > resulting kernel. > > Marcelo Henrique Cerri (1): > UBUNTU: [Packaging] Add a new fips-checks script > > debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ > 1 file changed, 138 insertions(+) > create mode 100755 debian/scripts/misc/fips-checks > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 01/09/2023 05:32, Roxana Nicolescu wrote: > > On 31/08/2023 18:05, Magali Lemes wrote: >> BugLink: https://bugs.launchpad.net/bugs/1945989 >> >> [Impact] >> >> When producing a new version of some kernels, we need to check for >> changes that might affect FIPS or other certs and justify why a commit >> was kept or removed. >> >> To simplify this process we can add an automated check that will abort >> the kernel preparation and build when such changes exist without a >> justification. >> >> [Test Plan] >> >> Check if the kernel preparation fails (cranky close) when any of the >> files >> specified by `crypto_files` is changed. >> >> [Where problems could occur] >> >> No kernels should be affected unless we enable this check by setting >> `do_fips_checks` to true. In the generic Jammy kernel, >> `do_fips_checks` is >> already set to false in `debian/rules.d/0-common-vars.mk`. Even if the >> variable >> is set to true, that only affects the kernel preparation and not the >> resulting kernel. >> >> Marcelo Henrique Cerri (1): >> UBUNTU: [Packaging] Add a new fips-checks script >> >> debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ >> 1 file changed, 138 insertions(+) >> create mode 100755 debian/scripts/misc/fips-checks >> > > LGMT, but what about lunar? We only have FIPS kernels based on LTS kernels. I sent this to Mantic too so that the next LTS kernel carries this script. > > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com> >
The way `tag_prefix` is defined does not take into account 1st order derivatives. I will send a v2 fixing this. On 31/08/2023 13:05, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/1945989 > > [Impact] > > When producing a new version of some kernels, we need to check for > changes that might affect FIPS or other certs and justify why a commit > was kept or removed. > > To simplify this process we can add an automated check that will abort > the kernel preparation and build when such changes exist without a > justification. > > [Test Plan] > > Check if the kernel preparation fails (cranky close) when any of the files > specified by `crypto_files` is changed. > > [Where problems could occur] > > No kernels should be affected unless we enable this check by setting > `do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is > already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable > is set to true, that only affects the kernel preparation and not the > resulting kernel. > > Marcelo Henrique Cerri (1): > UBUNTU: [Packaging] Add a new fips-checks script > > debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++ > 1 file changed, 138 insertions(+) > create mode 100755 debian/scripts/misc/fips-checks >