ACK: [unstable/linux-signed][PATCH] Remove arbitrary timestamp and filename from ARM64 signed linux-image
Agathe Porte
agathe.porte at canonical.com
Wed Dec 6 15:31:35 UTC 2023
2023-12-05 19:36 CET, Dimitri John Ledkov:
> BugLink: https://bugs.launchpad.net/bugs/2045684
>
> $ file /boot/vmlinuz-6.6.0-14-generic
> /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was
> "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1
> 18:54:57 2023, max compression, from Unix, original size modulo 2^32
> 56127880
>
> Note that original filename and timestamp are encoded in the gzip
> content header which is not reproducible and not roundtrip safe. This
> make it difficult to do gymnastics to convert for linux
> linux-unsgined, to linux-signed, to kernel.efi, and back and preserve
> the same checksum or HMAC of the file, as needed by FIPS or just pure
> curiosity to confirm that the kernel image is the same across all
> image formats we ship.
>
> The fix is to use -n (--no-name) option to gzip to compress the file
> without filename nor timestamp.
>
> $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
> /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max
> compression, from Unix, original size modulo 2^32 56127880
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> ---
> debian/rules | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/rules b/debian/rules
> index 01339d8348..236a1293d0 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -67,7 +67,7 @@ override_dh_auto_build:
> vars="$${base}.efi.vars"; \
> [ -f "$$vars" ] && . "./$$vars"; \
> if [ "$$GZIP" = "1" ]; then \
> - gzip -9 "$$s"; \
> + gzip -9 -n "$$s"; \
> mv "$${s}.gz" "$$s"; \
> fi; \
> ); \
Acked-by: Agathe Porte <agathe.porte at canonical.com>
More information about the kernel-team
mailing list