From patchwork Tue Mar 26 18:52:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Magali Lemes X-Patchwork-Id: 1916326 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4V3zVM0DBGz1yWy for ; Wed, 27 Mar 2024 05:54:03 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rpBvm-0000SY-Dn; Tue, 26 Mar 2024 18:53:54 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rpBve-0000N4-RU for kernel-team@lists.ubuntu.com; Tue, 26 Mar 2024 18:53:47 +0000 Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com [209.85.210.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id AFABB3F628 for ; Tue, 26 Mar 2024 18:53:46 +0000 (UTC) Received: by mail-pf1-f197.google.com with SMTP id d2e1a72fcca58-6ea81b74262so3316537b3a.1 for ; Tue, 26 Mar 2024 11:53:46 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711479224; x=1712084024; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VqZbWO/Roe9GqGETdZdwYWJ60SVAqq5SvIoecJjwXuU=; b=FOBCTlw8n+qMF6WKrKyCZr2wJJgC9SuX5TF7TEccNOo1Jng4bix+1MGWgI1KNySoqs gzcMhZPdgBKnQ0oypSc0D6NcEbS2OAMHlIhGA0+XhRVtlBBwO/FIa7ySXJ2g+rLS4OWF O/Y9dCzO5f3r/Gn2RbsEGcmKprIIaPMVuj6Qc5GGikmPzCkFlB9YoihTOFhZ45/T3usP 4xyMmzXMcUd2GaGFxOztN1HpNiG7ZBxvOihjZcCNLOE0yOclRHPrNB+TaCPpTR8QwT4I InSSxsIePUeNohRjSmqvaA380wOWHcZ4McntghLIyOIZ0ZCwkmGtfr9/1gLmZez6+jYl 6hVg== X-Gm-Message-State: AOJu0YwPD7ettC3rLkek3uvB7NHEXrajtWRcpD1iL3YV8AG51cr+hj+f Iv3M2fc9lSdfRQAm2Yovm5tCJ602OlOyEjToNQaPMX56uIxmSIUAboUBRdtpPb09nYDJfTW9E0r rakilgWAecAZrZEey7s41nQl4etqxl7DnzlHeE8/Z3oEgM7xmRgiXlv9gOU8/17el6wr7/PJh2M x8LcGuuy6JeHoLysA= X-Received: by 2002:a05:6a20:12d2:b0:1a3:6fef:3a80 with SMTP id v18-20020a056a2012d200b001a36fef3a80mr11484725pzg.40.1711479224279; Tue, 26 Mar 2024 11:53:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IF7DBO50qrSo1dJvdnEUQFO3usstKn9JaUnDlkZHNGxrTXVf4e/XevKhhn6xRrpo58gYyU3Gg== X-Received: by 2002:a05:6a20:12d2:b0:1a3:6fef:3a80 with SMTP id v18-20020a056a2012d200b001a36fef3a80mr11484712pzg.40.1711479223796; Tue, 26 Mar 2024 11:53:43 -0700 (PDT) Received: from mingau.. ([2804:14c:14a:814f:26ca:d639:f005:d86a]) by smtp.gmail.com with ESMTPSA id h4-20020a056a00230400b006ea8ba9902asm6314514pfh.28.2024.03.26.11.53.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 26 Mar 2024 11:53:42 -0700 (PDT) From: Magali Lemes To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy][PATCH 1/1] UBUNTU: [Packaging] Remove fips-checks script Date: Tue, 26 Mar 2024 15:52:39 -0300 Message-ID: <20240326185335.44175-3-magali.lemes@canonical.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240326185335.44175-1-magali.lemes@canonical.com> References: <20240326185335.44175-1-magali.lemes@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/2055083 This script is now part of `cranky` and there is no need for it to live in debian/ anymore, so remove it. Signed-off-by: Magali Lemes --- debian/rules.d/0-common-vars.mk | 3 - debian/rules.d/1-maintainer.mk | 3 - debian/scripts/misc/fips-checks | 139 -------------------------------- 3 files changed, 145 deletions(-) delete mode 100755 debian/scripts/misc/fips-checks diff --git a/debian/rules.d/0-common-vars.mk b/debian/rules.d/0-common-vars.mk index 1017a9836230..5d3982f87462 100644 --- a/debian/rules.d/0-common-vars.mk +++ b/debian/rules.d/0-common-vars.mk @@ -220,9 +220,6 @@ do_flavour_header_package=true # DTBs do_dtbs=false -# FIPS check -do_fips_checks=false - # Support parallel= in DEB_BUILD_OPTIONS (see #209008) # # These 2 environment variables set the -j value of the kernel build. For example, diff --git a/debian/rules.d/1-maintainer.mk b/debian/rules.d/1-maintainer.mk index 16eb8819c43c..67520312f045 100644 --- a/debian/rules.d/1-maintainer.mk +++ b/debian/rules.d/1-maintainer.mk @@ -146,9 +146,6 @@ autoreconstruct: fi finalchecks: debian/control -ifeq ($(do_fips_checks),true) - $(DROOT)/scripts/misc/fips-checks -endif $(DROOT)/scripts/misc/final-checks "$(DEBIAN)" "$(prev_fullver)" diffupstream: diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks deleted file mode 100755 index df15b9603cf0..000000000000 --- a/debian/scripts/misc/fips-checks +++ /dev/null @@ -1,139 +0,0 @@ -#!/bin/bash -eu -export LC_ALL=C.UTF-8 - -usage() { - cat << EOF -Usage: ${P:-$(basename "$0")} [-h|--help] - -Check if there are any FIPS relevant changes since the last -release. Any change that is identified should have a justification in -the justifications file or the check will fail. - -Optional arguments: - -h, --help Show this help message and exit. - -p, --previous Version to use as the previous base version. - -c, --current Version to use as the current base version. - -EOF -} - -prev_base_version= -curr_base_version= -crypto_files=( crypto arch/x86/crypto drivers/char/random.c arch/s390/crypto arch/arm64/crypto lib/sha1.c lib/crypto/aes.c ) - -c_red='\033[0;31m' -c_green='\033[0;32m' -c_off='\033[0m' - -# Parse arguments -while [ "$#" -gt 0 ]; do - case "$1" in - -h|--help) - usage - exit 0 - ;; - -p|--previous) - shift - prev_base_version="$1" - ;; - -c|--current) - shift - curr_base_version="$1" - ;; - *) - usage - exit 1 - ;; - esac - shift -done - -DEBIAN= -# shellcheck disable=SC1091 -. debian/debian.env - -# Check if the "$DEBIAN" directory exists. -if [ ! -d "$DEBIAN" ]; then - echo "You must run this script from the top directory of this repository." - exit 1 -fi - -CONF="$DEBIAN/etc/update.conf" -if [ ! -f "$CONF" ]; then - echo "Missing file: $CONF" - exit 1 -fi -# shellcheck disable=SC1090 -. "$CONF" - -if [ "$DEBIAN_MASTER" = "" ]; then - echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment" - exit 1 -fi - -# Find the base kernel version used by the previous version -if [ -z "$prev_base_version" ]; then - offset=1 - # Loop through each entry of the current changelog, searching for an - # entry that refers to the master version used as base (ie a line - # containing "[ Ubuntu: 4.15.0-39.42 ]"): - while true; do - changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset") - if ! [ "$changes" ]; then - echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog" - exit 1 - fi - prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}') - [ "$prev_base_version" ] && break - offset=$(( offset + 1 )) - done - if [ -z "${prev_base_version}" ]; then - echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog" - exit 1 - fi -fi - -# Find the current base kernel version -if [ -z "$curr_base_version" ]; then - curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion) - if ! [ "$curr_base_version" ]; then - echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog" - exit 1 - fi -fi - -# Check base kernel tags -package=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SSource) -tag_prefix="Ubuntu${package#linux}-" -prev_tag="${tag_prefix}${prev_base_version}" -curr_tag="${tag_prefix}${curr_base_version}" -for tag in "$prev_tag" "$curr_tag"; do - if ! git rev-parse --verify "$tag" &> /dev/null; then - echo "Missing tag \"$tag\". Please fetch tags from base kernel." - exit 1 - fi -done - -# Check all the changes -fails=0 -justifications_file="$DEBIAN/fips.justifications" -justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true) -while read -r id; do - short_msg=$(git log --format=%s --max-count=1 "$id") - if echo "$justifications" | grep -q -x -F "$short_msg"; then - echo -e "${c_green}OK${c_off} | ${id::12} ${short_msg}" - continue - fi - echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}" - fails=$(( fails + 1 )) -done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}") - -echo -if [ "$fails" -gt 0 ]; then - echo "FIPS relevant changes were found without justification: ${fails} change(s)." - echo "Please, check the commits above and update the file \"${justifications_file}\"." - exit 1 -fi - -echo "Check completed without errors." -exit 0