[B, F, I][PATCH 0/2] LP:#1945989 - Check for changes relevant for security certifications

Marcelo Henrique Cerri marcelo.cerri at canonical.com
Mon Oct 4 13:35:45 UTC 2021


BugLink: https://bugs.launchpad.net/bugs/1945989

Targetting Bionic and Focal because we only need that in LTS versions
later than B. Targetting Impish too for future LTSes.

[Impact]

When producing a new version of some kernels, we need to check for
changes that might affect FIPS or other certs and justify why a commit
was kept or removed.

To simplify this process we can add an automated check that will abort
the kernel preparation and build when such changes exist without a
justification.

[Test Plan]

Check if the kernel preparation fails (cranky close) when one of a
security certification changes is added.

[Where problems could occur]

No kernels should be affected until we enable this check on each
one. Even when enabled, that only affects the kernel preparation and
not the resulting kernel.

---
Marcelo Henrique Cerri (2):
  UBUNTU: [Packaging] Add a new fips-checks script
  UBUNTU: [Packaging] Add fips-checks as part of finalchecks

 debian/rules.d/0-common-vars.mk |   3 +
 debian/rules.d/1-maintainer.mk  |   3 +
 debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
 3 files changed, 144 insertions(+)
 create mode 100755 debian/scripts/misc/fips-checks

-- 
2.25.1




More information about the kernel-team mailing list