[Bug 1831942] Please test proposed package
Robie Basak
1831942 at bugs.launchpad.net
Wed Jun 12 09:44:58 UTC 2019
Hello Andy, or anyone else affected,
Accepted u-boot into xenial-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/u-boot/2016.01+dfsg1-2ubuntu5 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, details of your
testing will help us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to u-boot in Ubuntu.
https://bugs.launchpad.net/bugs/1831942
Title:
support u-boot Flat Image Tree (FIT) signing support
Status in Launchpad itself:
In Progress
Status in u-boot package in Ubuntu:
Fix Released
Status in u-boot source package in Xenial:
Fix Committed
Status in u-boot source package in Bionic:
Fix Committed
Status in u-boot source package in Cosmic:
Fix Committed
Status in u-boot source package in Disco:
Fix Committed
Status in u-boot source package in Eoan:
Fix Released
Bug description:
[Impact] the existing mkimage/dumpimage tools are unable to make or
dump out the contents of a u-boot FIT image.
[Test Case] run mkimage with no arguments, note that FIT images and
signing are shown as disabled. Install the updated version and note
that FIT images and signing are now shown as enabled. Run the
attached TEST-FIT script which will put together a sample image,
generate some keys, and sign the resulting image contents. You will
see "kernel.img: Device Tree Blob version 17,..." if the image is
created and you will see dumpimage output showing it is not yet signed
(Sign value: unavailable). The signatures will then be applied and
the image redumped and you will see it is now signed (Sign value:
<hex>).
[Regression Potential] though this changes the u-boot boot loader
package, only the build of the u-boot-utils package contents is
modified. This primarily enabled FIT_SIGNATURE support in the
configuration before building those tools. The majority of the tools
we ship do not have configuration support even and so should not be
affected. mkimage et al are not normally used during a
kernel/bootloader update and so the risk to a pre-installed system
should be low. There is slightly higher risk in the xenial changes as
the enablement has enabled some additional tool builds, but none of
those are shipped in the resulting binaries.
===
We need a mechanism for securely signing Flat Image Tree binaries.
This will be performed in a similar manner to UEFI signing support via
a custom binary upload to launchpad. We will also need a u-boot
update to enable image creation and signing support in mkimage.
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1831942/+subscriptions
More information about the foundations-bugs
mailing list