ACK / APPLIED: [SRU Bionic] LP#1764794/LP#1696154 -- signing updates

Seth Forshee seth.forshee at canonical.com
Thu Apr 19 16:19:08 UTC 2018


On Thu, Apr 19, 2018 at 04:41:58PM +0100, Andy Whitcroft wrote:
> This late breaking update brings a couple of long planned changes.
> Firstly a move to 'always signed' kernels in /boot[1].  This aims to
> make it much harder for the kernel to become unbootable in the face
> of bootloader enforced signing.  Where signing is not enforced or even
> supported the signatures are benign extra data on the kernel image and so
> should be safe.  Secondly it brings signing for Opal kernels on ppc64el[2],
> this is also always applied for kernels for that platform.
> 
> It should be noted this carries a new package split, linux-image
> and linux-image-extra become linux-image, linux-modules, and
> linux-modules-extra.  As well as boot testing such kernels I have also
> extracted these combinations from before and after the change and
> compare the overall file lists to confirm all of the contents have
> landed somewhere.
> 
> As a bonus this patch set brings a new foundation of control-scripts which
> almost completely eliminate the multiple initramfs rebuild on install and
> the rebuild and delete on uninstall of a kernel.  Which would otherwise
> be made worse by this additional split.
> 
> I have compared the binaries as installed from the old and new layouts.
> 
> Pull request below[3].
> 
> Proposing for application to bionic before release if at all possible.

As Thadeu said, too bad we couldn't get this in earlier, but these are
some nice changes and critical for release.

Acked-by: Seth Forshee <seth.forshee at canonical.com>

Applied to bionic/master-next and unstable/master, thanks!




More information about the kernel-team mailing list