ACK/cmnt: [trusty/xenial SRU] switch to a signed-only kernel and add buildinfo
Kleber Souza
kleber.souza at canonical.com
Fri Feb 1 15:10:39 UTC 2019
On 1/31/19 4:31 PM, Andy Whitcroft wrote:
> We are working up to enforcing kernel signatures out of shim/grub
> by default and then we will rotate the EFI key. The result of this
> additional enforcement will be to make it significantly more problematic
> on such systems if the signed kernel binary is not present. Having this
> held on by a separate meta package has proven problematic as it tends to
> get pushed off most easily by apt. In later series we have successfully
> migrated to a signed-only kernel image. This is used in both EFI secure
> boot environments and unsigned alike; the signature being benign extra
> data at the end of the kernel image.
>
> All series bionic and later are already converted, this leaves trusty
> and xenial needing remediation. Only kernels offering signed images
> need actual remediation. I believe this is the following four kernels,
> there are other signed kernels in trusty and xenial but those are all
> based on later series and thus already remediated:
>
> xenial/linux
> trusty/linux-lts-xenial
> trusty/linux
> precise/linux-lts-trusty
>
> At the bottom of this email are the three pull requests each for
> xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
> linux-meta for each. For the primary kernel packages these carry two sets
> of changes, firstly a block of change against LP: #1764794[1] which is the
> conversion to signed-only kernels, and secondly a block of change against
> LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
> The linux-signed and linux-meta changes only relate to signed-only changes.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
> [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380
LP #1806380 was missing the nomination for Trusty and Xenial, so I fixed
that.
Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
>
> I have decided to conflate these two together as both represent major
> upheaval in the primary packaging and as such will require exactly the
> same testing to validate. It therefore seems reasonable to apply these
> at the same time and handle any fallout in one hit.
>
> I will prepare further pull requests for the trusty/linux-lts-xenial and
> precise/linux-lts-trusty kernels and submit those shortly. The changes
> there should be much simpler in those as they share the primary packaging.
> Other derivatives should (in theory) be unaffected by the packaging changes
> as long as they do not support and enable signing in their configuration,
> other than the need to add the retpoline headers to any existing ABI
> information. This will be familiar from application of the buildinfo
> changes to later series.
>
> I have done binary comparisons of the package contents for both xenial and
> trusty for the signed-only changes. I am waiting on test builds with the
> additional buildinfo changes applied to recheck that has not regressed
> package contents. I will reply to this thread with the results of that
> testing once the builders have ground through them.
>
> I understand that this is essentially unreviewable, and that this level
> of change is undesirable in kernels which are this old; in particular
> trusty/linux which is close to EOL. We are forced to update that as it
> will enter ESM and so remains a problem froma key rotation perspective.
>
> -apw
>
>
> == xenial ==
> The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:
>
> UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:
>
> UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)
>
> ----------------------------------------------------------------
> * linux-buildinfo: pull out ABI information into its own package
> (LP: #1806380)
> - [Packaging] limit preparation to linux-libc-dev in headers
> - [Packaging] commonise debhelper invocation
> - [Packaging] ABI -- accumulate abi information at the end of the build
> - [Packaging] buildinfo -- add basic build information
> - [Packaging] buildinfo -- add firmware information to the flavour ABI
> - [Packaging] buildinfo -- add compiler information to the flavour ABI
> - [Packaging] buildinfo -- add buildinfo support to getabis
> - [Config] buildinfo -- add retpoline version markers
> - [Packaging] getabis -- handle all known package combinations
> - [Packaging] getabis -- support parsing a simple version
>
> * signing: only install a signed kernel (LP: #1764794)
> - [Packaging] update to Debian like control scripts
> - [Packaging] switch to triggers for postinst.d postrm.d handling
> - [Packaging] signing -- switch to raw-signing tarballs
> - [Packaging] signing -- switch to linux-image as signed when available
> - [Packaging] printenv -- add signing options
> - [Packaging] fix invocation of header postinst hooks
> - [Packaging] signing -- add support for signing Opal kernel binaries
> - [Debian] Use src_pkg_name when constructing udeb control files
> - [Debian] Dynamically determine linux udebs package name
> - [Packaging] handle both linux-lts* and linux-hwe* as backports
> - [Config] linux-source-* is in the primary linux namespace
> - [Packaging] lookup the upstream tag
> - [Packaging] zfs/spl -- enhance provides information
> - [Packaging] switch up to debhelper 9
> - [Packaging] autopkgtest -- disable d-i when dropping flavours
> - [debian] support for ship_extras_package=false
> - [Debian] do_common_tools should always be on
> - [debian] do not force do_tools_common
> - [Packaging] Add linux-tools-host package for VM host tools
> - [Packaging] signing should be conditional
> - [Packaging] skip cloud tools packaging when not building package
> - [Packaging] add acpidbg
> - [debian] prep linux-libc-dev only if do_libc_dev_package=true
> - [Packaging] Only install cloud init files when do_tools_common=true
>
> ==
> The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:
>
> UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:
>
> UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)
>
> ----------------------------------------------------------------
> * Miscellaneous Ubuntu changes
> - [Packaging] switch to signed-only forms
> - [Packaging] match +signedN more accuratly
> - [Packaging] download-signed -- fix downloader component and handle versions
> correctly
>
> ==
> The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:
>
> UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:
>
> UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)
>
> ----------------------------------------------------------------
> * signing: only install a signed kernel (LP: #1764794)
> - switch to signed-only binary packages
> - convert linux-signed* into transitional packages
>
> == trusty ==
> The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:
>
> UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:
>
> UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)
>
> ----------------------------------------------------------------
> * linux-buildinfo: pull out ABI information into its own package
> (LP: #1806380)
> - [Packaging] limit preparation to linux-libc-dev in headers
> - [Packaging] commonise debhelper invocation
> - [Packaging] ABI -- accumulate abi information at the end of the build
> - [Packaging] buildinfo -- add basic build information
> - [Packaging] buildinfo -- add firmware information to the flavour ABI
> - [Packaging] buildinfo -- add compiler information to the flavour ABI
> - [Packaging] buildinfo -- add buildinfo support to getabis
> - [Config] buildinfo -- add retpoline version markers
> - [Packaging] getabis -- handle all known package combinations
> - [Packaging] getabis -- support parsing a simple version
>
> * signing: only install a signed kernel (LP: #1764794)
> - [Debian] usbip tools packaging
> - [Debian] Don't fail if a symlink already exists
> - [Debian] perf -- build in the context of the full generated local headers
> - [Debian] basic hook support
> - [Debian] follow rename of DEB_BUILD_PROFILES
> - [Debian] standardise on stage1 for the bootstrap stage in line with debian
> - [Debian] set do_*_tools after stage1 or bootstrap is determined
> - [Debian] initscripts need installing when making the package
> - [Packaging] reconstruct -- automatically reconstruct against base tag
> - [Debian] add feature interlock with mainline builds
> - [Debian] Remove generated intermediate files on clean
> - [Packaging] prevent linux-*-tools-common from being produced from non linux
> packages
> - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
> - [Debian] Update to new signing key type and location
> - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
> - [Packaging] reconstruct -- update when inserting final changes
> - [Packaging] update to Debian like control scripts
> - [Packaging] switch to triggers for postinst.d postrm.d handling
> - [Packaging] signing -- switch to raw-signing tarballs
> - [Packaging] signing -- switch to linux-image as signed when available
> - [Packaging] printenv -- add signing options
> - [Packaging] fix invocation of header postinst hooks
> - [Packaging] signing -- add support for signing Opal kernel binaries
> - [Debian] Use src_pkg_name when constructing udeb control files
> - [Debian] Dynamically determine linux udebs package name
> - [Packaging] handle both linux-lts* and linux-hwe* as backports
> - [Config] linux-source-* is in the primary linux namespace
> - [Packaging] lookup the upstream tag
> - [Packaging] switch up to debhelper 9
> - [Packaging] autopkgtest -- disable d-i when dropping flavours
> - [debian] support for ship_extras_package=false
> - [Debian] do_common_tools should always be on
> - [debian] do not force do_tools_common
> - [Packaging] skip cloud tools packaging when not building package
> - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>
> ==
> The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:
>
> UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:
>
> UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)
>
> ----------------------------------------------------------------
> * Miscellaneous Ubuntu changes
> - [Packaging] switch to signed-only forms
> - [Packaging] match +signedN more accuratly
> - [Packaging] download-signed -- fix downloader component and handle versions
> correctly
>
> ==
> The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:
>
> UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)
>
> are available in the Git repository at:
>
> git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:
>
> UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)
>
> ----------------------------------------------------------------
> * signing: only install a signed kernel (LP: #1764794)
> - switch to signed-only binary packages
> - convert linux-signed* into transitional packages
>
More information about the kernel-team
mailing list