ACK: [SRU Bionic] LP#1764794/LP#1696154 -- signing updates

Thu Apr 19 15:53:52 UTC 2018

On Thu, Apr 19, 2018 at 04:41:58PM +0100, Andy Whitcroft wrote:
> This late breaking update brings a couple of long planned changes.
> Firstly a move to 'always signed' kernels in /boot[1].  This aims to
> make it much harder for the kernel to become unbootable in the face
> of bootloader enforced signing.  Where signing is not enforced or even
> supported the signatures are benign extra data on the kernel image and so
> should be safe.  Secondly it brings signing for Opal kernels on ppc64el[2],
> this is also always applied for kernels for that platform.
> 
> It should be noted this carries a new package split, linux-image
> and linux-image-extra become linux-image, linux-modules, and
> linux-modules-extra.  As well as boot testing such kernels I have also
> extracted these combinations from before and after the change and
> compare the overall file lists to confirm all of the contents have
> landed somewhere.
> 
> As a bonus this patch set brings a new foundation of control-scripts which
> almost completely eliminate the multiple initramfs rebuild on install and
> the rebuild and delete on uninstall of a kernel.  Which would otherwise
> be made worse by this additional split.
> 
> I have compared the binaries as installed from the old and new layouts.
> 
> Pull request below[3].
> 
> Proposing for application to bionic before release if at all possible.
> 
> -apw
> 
> [1] https://bugs.launchpad.net/bugs/1764794
> [2] https://bugs.launchpad.net/bugs/1696154
> 
> [3] The following changes since commit 62b0412eb2eebe6d49cec95be7f3c00dbc0de7c7:
> 
>   UBUNTU: Ubuntu-4.15.0-17.18 (2018-04-16 14:48:29 -0500)
> 
> are available in the Git repository at:
> 
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/dkms dkms-signing/signed-only
> 
> for you to fetch changes up to 92a9d4d844262c9dd7ec45dfa4dcd854c76a55ec:
> 
>   UBUNTU: [Packaging] printenv -- add signing options (2018-04-17 19:47:20 +0100)
> 
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Config] signing -- enable Opal signing for ppc64el
>     - [Packaging] printenv -- add signing options
> 
>   * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
>     - [Packaging] signing -- add support for signing Opal kernel binaries

I like the improvements on initramfs generation. I might even investigate the
use of triggers on kdump (I had investigated this, in fact, but needed the
support added here).

I wish this has come earlier. But will take that it was not possible for
whatever reasons.

Acked-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>