From patchwork Tue Mar 26 18:52:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1916327 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V3zVP3cpTz1yWy for ; Wed, 27 Mar 2024 05:54:05 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rpBvo-0000Vb-ST; Tue, 26 Mar 2024 18:53:56 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rpBvm-0000Se-8j for kernel-team@lists.ubuntu.com; Tue, 26 Mar 2024 18:53:54 +0000 Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 208543F204 for ; Tue, 26 Mar 2024 18:53:52 +0000 (UTC) Received: by mail-pf1-f198.google.com with SMTP id d2e1a72fcca58-6e68be494d2so3912741b3a.2 for ; Tue, 26 Mar 2024 11:53:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711479230; x=1712084030; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ojgEHV61Ns0p2g11GzZGlSWGEgHIogMpMnCy5ioFZhM=; b=Jipm1mXgnJ8K3wgC4LDWGNLxZ9wLTXHS11CX7k3W8NpahzCz3KXWeh4+Ymq3lTkHu0 fCdlh8fhKL0kjDfzFO+43A3pRBhGUOqngn/KMPgFphZJpaqSBVwhFhLE19LbQfZv2URM 5Vk2HJguTBJMk1DhVF2vPS23thFJvgrzM8IKL9G8jWIPraq//U43NExToW/uMbf88YRe LmkmV20sZGIl3hV088JYyYUI4u0NQMFToTzM2wmCwRruyyBlb894mKVqxyTQVo67mDw2 1j2jGBu41+2uQeHCAglV6kaglnzu0zd+uKJx6AB1z6D+klvTfDFHhlXvS+TItQkhSvao 06rw== X-Gm-Message-State: AOJu0Yz/eUYQCEMHDJtxfyi/hGGqAf7w6hD+HV924lNo3QEyuoO3UnJl Fuf06vh6fBUzb5SRNU0VTyx4YVcxU1feYqHMI73R3rL3e+RjhL9eAzwK2HAL8+wAxNgprxLsZlE QjHqek5v1Gfj3q07DpIprsoZceyskOM75SdmtecqmQPUkSBhzVeR8rS7XxntsUBiFgd/6lSF/20 ACqpkWEEQCQGDt+hw= X-Received: by 2002:a05:6a00:4b50:b0:6e6:fcd4:5a23 with SMTP id kr16-20020a056a004b5000b006e6fcd45a23mr573283pfb.32.1711479228920; Tue, 26 Mar 2024 11:53:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IG6LMI7QoOo+MDSx1Ijmnf3dOn7Rr6rIVkqGXCzyH1jWTHqa3rTtVZPWUjBjcSYkBHePX704A== X-Received: by 2002:a05:6a00:4b50:b0:6e6:fcd4:5a23 with SMTP id kr16-20020a056a004b5000b006e6fcd45a23mr573246pfb.32.1711479227544; Tue, 26 Mar 2024 11:53:47 -0700 (PDT) Received: from mingau.. ([2804:14c:14a:814f:26ca:d639:f005:d86a]) by smtp.gmail.com with ESMTPSA id h4-20020a056a00230400b006ea8ba9902asm6314514pfh.28.2024.03.26.11.53.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 11:53:47 -0700 (PDT) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][Noble][PATCH 1/1] UBUNTU: [Packaging] Remove fips-checks script Date: Tue, 26 Mar 2024 15:52:41 -0300 Message-ID: <20240326185335.44175-5-magali.lemes@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240326185335.44175-1-magali.lemes@canonical.com> References: <20240326185335.44175-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2055083 This script is now part of `cranky` and there is no need for it to live in debian/ anymore, so remove it. Signed-off-by: Magali Lemes --- debian/rules.d/0-common-vars.mk | 3 - debian/rules.d/1-maintainer.mk | 3 - debian/scripts/misc/fips-checks | 139 -------------------------------- 3 files changed, 145 deletions(-) delete mode 100755 debian/scripts/misc/fips-checks diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk index 2f032cfc3d59..5cd38f6f1b6c 100644 --- a/debian/rules.d/0-common-vars.mk +++ b/debian/rules.d/0-common-vars.mk @@ -152,9 +152,6 @@ do_flavour_header_package=true # DTBs do_dtbs=false -# FIPS check -do_fips_checks=false - # ZSTD compressed kernel modules do_zstd_ko=true ifeq ($(series),jammy) diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk index c01db7582f1d..82b035b625fe 100644 --- a/debian/rules.d/1-maintainer.mk +++ b/debian/rules.d/1-maintainer.mk @@ -121,9 +121,6 @@ autoreconstruct: .PHONY: finalchecks finalchecks: debian/control -ifeq ($(do_fips_checks),true) - $(DROOT)/scripts/misc/fips-checks -endif $(DROOT)/scripts/checks/final-checks "$(DEBIAN)" "$(prev_fullver)" $(do_skip_checks) .PHONY: compileselftests diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks deleted file mode 100755 index 6d5fb3847908..000000000000 --- a/debian/scripts/misc/fips-checks +++ /dev/null @@ -1,139 +0,0 @@ -#!/bin/bash -eu -export LC_ALL=C.UTF-8 - -usage() { - cat << EOF -Usage: ${P:-$(basename "$0")} [-h|--help] - -Check if there are any FIPS relevant changes since the last -release. Any change that is identified should have a justification in -the justifications file or the check will fail. - -Optional arguments: - -h, --help Show this help message and exit. - -p, --previous Version to use as the previous base version. - -c, --current Version to use as the current base version. - -EOF -} - -prev_base_version= -curr_base_version= -crypto_files=( crypto arch/x86/crypto drivers/char/random.c arch/s390/crypto arch/arm64/crypto lib/crypto/sha1.c lib/crypto/aes.c ) - -c_red='\033[0;31m' -c_green='\033[0;32m' -c_off='\033[0m' - -# Parse arguments -while [ "$#" -gt 0 ]; do - case "$1" in - -h|--help) - usage - exit 0 - ;; - -p|--previous) - shift - prev_base_version="$1" - ;; - -c|--current) - shift - curr_base_version="$1" - ;; - *) - usage - exit 1 - ;; - esac - shift -done - -DEBIAN= -# shellcheck disable=SC1091 -. debian/debian.env - -# Check if the "$DEBIAN" directory exists. -if [ ! -d "$DEBIAN" ]; then - echo "You must run this script from the top directory of this repository." - exit 1 -fi - -CONF="$DEBIAN/etc/update.conf" -if [ ! -f "$CONF" ]; then - echo "Missing file: $CONF" - exit 1 -fi -# shellcheck disable=SC1090 -. "$CONF" - -if [ "$DEBIAN_MASTER" = "" ]; then - echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment" - exit 1 -fi - -# Find the base kernel version used by the previous version -if [ -z "$prev_base_version" ]; then - offset=1 - # Loop through each entry of the current changelog, searching for an - # entry that refers to the master version used as base (ie a line - # containing "[ Ubuntu: 4.15.0-39.42 ]"): - while true; do - changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset") - if ! [ "$changes" ]; then - echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog" - exit 1 - fi - prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}') - [ "$prev_base_version" ] && break - offset=$(( offset + 1 )) - done - if [ -z "${prev_base_version}" ]; then - echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog" - exit 1 - fi -fi - -# Find the current base kernel version -if [ -z "$curr_base_version" ]; then - curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion) - if ! [ "$curr_base_version" ]; then - echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog" - exit 1 - fi -fi - -# Check base kernel tags -package=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SSource) -tag_prefix="Ubuntu${package#linux}-" -prev_tag="${tag_prefix}${prev_base_version}" -curr_tag="${tag_prefix}${curr_base_version}" -for tag in "$prev_tag" "$curr_tag"; do - if ! git rev-parse --verify "$tag" &> /dev/null; then - echo "Missing tag \"$tag\". Please fetch tags from base kernel." - exit 1 - fi -done - -# Check all the changes -fails=0 -justifications_file="$DEBIAN/fips.justifications" -justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true) -while read -r id; do - short_msg=$(git log --format=%s --max-count=1 "$id") - if echo "$justifications" | grep -q -x -F "$short_msg"; then - echo -e "${c_green}OK${c_off} | ${id::12} ${short_msg}" - continue - fi - echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}" - fails=$(( fails + 1 )) -done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}") - -echo -if [ "$fails" -gt 0 ]; then - echo "FIPS relevant changes were found without justification: ${fails} change(s)." - echo "Please, check the commits above and update the file \"${justifications_file}\"." - exit 1 -fi - -echo "Check completed without errors." -exit 0