ACK/Cmnt: [SRU B/F/G V2] LP: #1898716 -- add direct support for the livepatching
Stefan Bader
stefan.bader at canonical.com
Fri Feb 19 08:22:44 UTC 2021
On 18.02.21 17:17, Andy Whitcroft wrote:
> The current user-experience for Livepatch users is poor. The livepatch
> modules we produce are signed separatly from the kernel modules.
> This means that to enable livepatching of the kernel we have to enroll
> a certificate for the livepatch service; the enrollment of this key
> necessitates a reboot to EFI to acknowledge the key.
>
> This patch set adds packaging infrastructure to support the addition
> of module signing certificates. It then adds the Canonical Livepatch
> Signing key and the Canonical Kernel Module Signing key. This both
> allows us to directly import appropriate livepatch modules, and externally
> signed drivers modules. As part of this we enable CONFIG_MODVERSIONS as
> recommended by the kernel documentation.
>
> Following this email are three patch sets each consisting of 4 patches.
> There are individual patches 1/2 for each series, patches 3 and 4 are
> common to each series.
>
> Proposing for bionic:linux, focal:linux, and groovy:linux.
>
> -apw
>
> V2: fix debian.master specific path names.
>
Generally it seems to be sane and at some point we want this done. Right now I
am still a little torn between doing this in one cycle or only start with G and
postpone the other 2 series till next cycle. Some of the pain might happen once
one starts to pull it into derivatives...
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210219/9bfbbd71/attachment.sig>
More information about the kernel-team
mailing list