[SRU Bionic] LP#1764794/LP#1696154 -- signing updates

Andy Whitcroft apw at canonical.com
Thu Apr 19 15:41:58 UTC 2018

This late breaking update brings a couple of long planned changes.
Firstly a move to 'always signed' kernels in /boot[1].  This aims to
make it much harder for the kernel to become unbootable in the face
of bootloader enforced signing.  Where signing is not enforced or even
supported the signatures are benign extra data on the kernel image and so
should be safe.  Secondly it brings signing for Opal kernels on ppc64el[2],
this is also always applied for kernels for that platform.

It should be noted this carries a new package split, linux-image
and linux-image-extra become linux-image, linux-modules, and
linux-modules-extra.  As well as boot testing such kernels I have also
extracted these combinations from before and after the change and
compare the overall file lists to confirm all of the contents have
landed somewhere.

As a bonus this patch set brings a new foundation of control-scripts which
almost completely eliminate the multiple initramfs rebuild on install and
the rebuild and delete on uninstall of a kernel.  Which would otherwise
be made worse by this additional split.

I have compared the binaries as installed from the old and new layouts.

Pull request below[3].

Proposing for application to bionic before release if at all possible.


[1] https://bugs.launchpad.net/bugs/1764794
[2] https://bugs.launchpad.net/bugs/1696154

[3] The following changes since commit 62b0412eb2eebe6d49cec95be7f3c00dbc0de7c7:

  UBUNTU: Ubuntu-4.15.0-17.18 (2018-04-16 14:48:29 -0500)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/dkms dkms-signing/signed-only

for you to fetch changes up to 92a9d4d844262c9dd7ec45dfa4dcd854c76a55ec:

  UBUNTU: [Packaging] printenv -- add signing options (2018-04-17 19:47:20 +0100)

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Config] signing -- enable Opal signing for ppc64el
    - [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
    - [Packaging] signing -- add support for signing Opal kernel binaries

More information about the kernel-team mailing list