ACK/Cmnt: [B, F, I][PATCH 0/2] LP:#1945989 - Check for changes relevant for security certifications
Stefan Bader
stefan.bader at canonical.com
Tue Oct 5 07:50:46 UTC 2021
On 04.10.21 15:35, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
>
> Targetting Bionic and Focal because we only need that in LTS versions
> later than B. Targetting Impish too for future LTSes.
>
> [Impact]
>
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
>
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
>
> [Test Plan]
>
> Check if the kernel preparation fails (cranky close) when one of a
> security certification changes is added.
>
> [Where problems could occur]
>
> No kernels should be affected until we enable this check on each
> one. Even when enabled, that only affects the kernel preparation and
> not the resulting kernel.
>
> ---
> Marcelo Henrique Cerri (2):
> UBUNTU: [Packaging] Add a new fips-checks script
> UBUNTU: [Packaging] Add fips-checks as part of finalchecks
>
> debian/rules.d/0-common-vars.mk | 3 +
> debian/rules.d/1-maintainer.mk | 3 +
> debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
> 3 files changed, 144 insertions(+)
> create mode 100755 debian/scripts/misc/fips-checks
>
My concern would only be to be impacted on non-fips kernels which I cannot see.
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211005/06d59292/attachment.sig>
More information about the kernel-team
mailing list