[trusty/xenial SRU] switch to a signed-only kernel and add buildinfo
Andy Whitcroft
apw at canonical.com
Thu Jan 31 15:31:28 UTC 2019
We are working up to enforcing kernel signatures out of shim/grub
by default and then we will rotate the EFI key. The result of this
additional enforcement will be to make it significantly more problematic
on such systems if the signed kernel binary is not present. Having this
held on by a separate meta package has proven problematic as it tends to
get pushed off most easily by apt. In later series we have successfully
migrated to a signed-only kernel image. This is used in both EFI secure
boot environments and unsigned alike; the signature being benign extra
data at the end of the kernel image.
All series bionic and later are already converted, this leaves trusty
and xenial needing remediation. Only kernels offering signed images
need actual remediation. I believe this is the following four kernels,
there are other signed kernels in trusty and xenial but those are all
based on later series and thus already remediated:
xenial/linux
trusty/linux-lts-xenial
trusty/linux
precise/linux-lts-trusty
At the bottom of this email are the three pull requests each for
xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
linux-meta for each. For the primary kernel packages these carry two sets
of changes, firstly a block of change against LP: #1764794[1] which is the
conversion to signed-only kernels, and secondly a block of change against
LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
The linux-signed and linux-meta changes only relate to signed-only changes.
[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380
I have decided to conflate these two together as both represent major
upheaval in the primary packaging and as such will require exactly the
same testing to validate. It therefore seems reasonable to apply these
at the same time and handle any fallout in one hit.
I will prepare further pull requests for the trusty/linux-lts-xenial and
precise/linux-lts-trusty kernels and submit those shortly. The changes
there should be much simpler in those as they share the primary packaging.
Other derivatives should (in theory) be unaffected by the packaging changes
as long as they do not support and enable signing in their configuration,
other than the need to add the retpoline headers to any existing ABI
information. This will be familiar from application of the buildinfo
changes to later series.
I have done binary comparisons of the package contents for both xenial and
trusty for the signed-only changes. I am waiting on test builds with the
additional buildinfo changes applied to recheck that has not regressed
package contents. I will reply to this thread with the results of that
testing once the builders have ground through them.
I understand that this is essentially unreviewable, and that this level
of change is undesirable in kernels which are this old; in particular
trusty/linux which is close to EOL. We are forced to update that as it
will enter ESM and so remains a problem froma key rotation perspective.
-apw
== xenial ==
The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:
UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo
for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:
UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)
----------------------------------------------------------------
* linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
* signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] zfs/spl -- enhance provides information
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] Add linux-tools-host package for VM host tools
- [Packaging] signing should be conditional
- [Packaging] skip cloud tools packaging when not building package
- [Packaging] add acpidbg
- [debian] prep linux-libc-dev only if do_libc_dev_package=true
- [Packaging] Only install cloud init files when do_tools_common=true
==
The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:
UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo
for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:
UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)
----------------------------------------------------------------
* Miscellaneous Ubuntu changes
- [Packaging] switch to signed-only forms
- [Packaging] match +signedN more accuratly
- [Packaging] download-signed -- fix downloader component and handle versions
correctly
==
The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:
UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo
for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:
UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)
----------------------------------------------------------------
* signing: only install a signed kernel (LP: #1764794)
- switch to signed-only binary packages
- convert linux-signed* into transitional packages
== trusty ==
The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:
UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo
for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:
UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)
----------------------------------------------------------------
* linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
* signing: only install a signed kernel (LP: #1764794)
- [Debian] usbip tools packaging
- [Debian] Don't fail if a symlink already exists
- [Debian] perf -- build in the context of the full generated local headers
- [Debian] basic hook support
- [Debian] follow rename of DEB_BUILD_PROFILES
- [Debian] standardise on stage1 for the bootstrap stage in line with debian
- [Debian] set do_*_tools after stage1 or bootstrap is determined
- [Debian] initscripts need installing when making the package
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Debian] add feature interlock with mainline builds
- [Debian] Remove generated intermediate files on clean
- [Packaging] prevent linux-*-tools-common from being produced from non linux
packages
- SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
- [Debian] Update to new signing key type and location
- [Packaging] autoreconstruct -- generate extend-diff-ignore for links
- [Packaging] reconstruct -- update when inserting final changes
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] skip cloud tools packaging when not building package
- [debian] prep linux-libc-dev only if do_libc_dev_package=true
==
The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:
UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo
for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:
UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)
----------------------------------------------------------------
* Miscellaneous Ubuntu changes
- [Packaging] switch to signed-only forms
- [Packaging] match +signedN more accuratly
- [Packaging] download-signed -- fix downloader component and handle versions
correctly
==
The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:
UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)
are available in the Git repository at:
git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo
for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:
UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)
----------------------------------------------------------------
* signing: only install a signed kernel (LP: #1764794)
- switch to signed-only binary packages
- convert linux-signed* into transitional packages
More information about the kernel-team
mailing list