[SRU][J/M][PATCH 0/1] UBUNTU: [Packaging] Check for relevant changes for security certifications
Magali Lemes
magali.lemes at canonical.com
Thu Aug 31 16:05:09 UTC 2023
BugLink: https://bugs.launchpad.net/bugs/1945989
[Impact]
When producing a new version of some kernels, we need to check for
changes that might affect FIPS or other certs and justify why a commit
was kept or removed.
To simplify this process we can add an automated check that will abort
the kernel preparation and build when such changes exist without a
justification.
[Test Plan]
Check if the kernel preparation fails (cranky close) when any of the files
specified by `crypto_files` is changed.
[Where problems could occur]
No kernels should be affected unless we enable this check by setting
`do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is
already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable
is set to true, that only affects the kernel preparation and not the
resulting kernel.
Marcelo Henrique Cerri (1):
UBUNTU: [Packaging] Add a new fips-checks script
debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
1 file changed, 138 insertions(+)
create mode 100755 debian/scripts/misc/fips-checks
--
2.34.1
More information about the kernel-team
mailing list