ACK/cmnt: [trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

Kleber Souza kleber.souza at canonical.com
Fri Feb 1 15:10:39 UTC 2019 

On 1/31/19 4:31 PM, Andy Whitcroft wrote:
> We are working up to enforcing kernel signatures out of shim/grub
> by default and then we will rotate the EFI key.  The result of this
> additional enforcement will be to make it significantly more problematic
> on such systems if the signed kernel binary is not present.  Having this
> held on by a separate meta package has proven problematic as it tends to
> get pushed off most easily by apt.  In later series we have successfully
> migrated to a signed-only kernel image.  This is used in both EFI secure
> boot environments and unsigned alike; the signature being benign extra
> data at the end of the kernel image.
>
> All series bionic and later are already converted, this leaves trusty
> and xenial needing remediation.  Only kernels offering signed images
> need actual remediation.  I believe this is the following four kernels,
> there are other signed kernels in trusty and xenial but those are all
> based on later series and thus already remediated:
>
> 	xenial/linux
> 	trusty/linux-lts-xenial
> 	trusty/linux
> 	precise/linux-lts-trusty
>
> At the bottom of this email are the three pull requests each for
> xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
> linux-meta for each.  For the primary kernel packages these carry two sets
> of changes, firstly a block of change against LP: #1764794[1] which is the
> conversion to signed-only kernels, and secondly a block of change against
> LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
> The linux-signed and linux-meta changes only relate to signed-only changes.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
> [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380

LP #1806380 was missing the nomination for Trusty and Xenial, so I fixed
that.

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

>
> I have decided to conflate these two together as both represent major
> upheaval in the primary packaging and as such will require exactly the
> same testing to validate.  It therefore seems reasonable to apply these
> at the same time and handle any fallout in one hit.
>
> I will prepare further pull requests for the trusty/linux-lts-xenial and
> precise/linux-lts-trusty kernels and submit those shortly.  The changes
> there should be much simpler in those as they share the primary packaging.
> Other derivatives should (in theory) be unaffected by the packaging changes
> as long as they do not support and enable signing in their configuration,
> other than the need to add the retpoline headers to any existing ABI
> information.  This will be familiar from application of the buildinfo
> changes to later series.
>
> I have done binary comparisons of the package contents for both xenial and
> trusty for the signed-only changes.  I am waiting on test builds with the
> additional buildinfo changes applied to recheck that has not regressed
> package contents.  I will reply to this thread with the results of that
> testing once the builders have ground through them.
>
> I understand that this is essentially unreviewable, and that this level
> of change is undesirable in kernels which are this old; in particular
> trusty/linux which is close to EOL.  We are forced to update that as it
> will enter ESM and so remains a problem froma key rotation perspective.
>
> -apw
>
>
> == xenial ==
> The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:
>
>   UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] zfs/spl -- enhance provides information
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] Add linux-tools-host package for VM host tools
>     - [Packaging] signing should be conditional
>     - [Packaging] skip cloud tools packaging when not building package
>     - [Packaging] add acpidbg
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>     - [Packaging] Only install cloud init files when do_tools_common=true
>
> ==
> The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:
>
>   UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:
>
>   UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>
> == trusty ==
> The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:
>
>   UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Debian] usbip tools packaging
>     - [Debian] Don't fail if a symlink already exists
>     - [Debian] perf -- build in the context of the full generated local headers
>     - [Debian] basic hook support
>     - [Debian] follow rename of DEB_BUILD_PROFILES
>     - [Debian] standardise on stage1 for the bootstrap stage in line with debian
>     - [Debian] set do_*_tools after stage1 or bootstrap is determined
>     - [Debian] initscripts need installing when making the package
>     - [Packaging] reconstruct -- automatically reconstruct against base tag
>     - [Debian] add feature interlock with mainline builds
>     - [Debian] Remove generated intermediate files on clean
>     - [Packaging] prevent linux-*-tools-common from being produced from non linux
>       packages
>     - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
>     - [Debian] Update to new signing key type and location
>     - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
>     - [Packaging] reconstruct -- update when inserting final changes
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] skip cloud tools packaging when not building package
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>
> ==
> The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:
>
>   UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:
>
>   UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>

More information about the kernel-team mailing list