ACK: [unstable/linux-signed][PATCH] Remove arbitrary timestamp and filename from ARM64 signed linux-image
Jose Ogando
jose.ogando at canonical.com
Thu Dec 7 08:04:31 UTC 2023
On Tue, 2023-12-05 at 18:35 +0000, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/2045684
>
> $ file /boot/vmlinuz-6.6.0-14-generic
> /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was
> "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1
> 18:54:57 2023, max compression, from Unix, original size modulo 2^32
> 56127880
>
> Note that original filename and timestamp are encoded in the gzip
> content header which is not reproducible and not roundtrip safe. This
> make it difficult to do gymnastics to convert for linux
> linux-unsgined, to linux-signed, to kernel.efi, and back and preserve
> the same checksum or HMAC of the file, as needed by FIPS or just pure
> curiosity to confirm that the kernel image is the same across all
> image formats we ship.
>
> The fix is to use -n (--no-name) option to gzip to compress the file
> without filename nor timestamp.
>
> $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
> /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max
> compression, from Unix, original size modulo 2^32 56127880
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> ---
> debian/rules | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/rules b/debian/rules
> index 01339d8348..236a1293d0 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -67,7 +67,7 @@ override_dh_auto_build:
> vars="$${base}.efi.vars";
> \
> [ -f "$$vars" ] && .
> "./$$vars"; \
> if [ "$$GZIP" = "1" ];
> then \
> - gzip -9
> "$$s"; \
> + gzip -9 -n
> "$$s"; \
> mv "$${s}.gz"
> "$$s"; \
> fi;
> \
> );
> \
> --
> 2.34.1
>
>
Acked-by: Jose Ogando <jose.ogando at canonical.com>
More information about the kernel-team
mailing list