ACK: [SRU][J/M][PATCH 0/1] UBUNTU: [Packaging] Check for relevant changes for security certifications
Roxana Nicolescu
roxana.nicolescu at canonical.com
Fri Sep 1 08:32:39 UTC 2023
On 31/08/2023 18:05, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
>
> [Impact]
>
> When producing a new version of some kernels, we need to check for
> changes that might affect FIPS or other certs and justify why a commit
> was kept or removed.
>
> To simplify this process we can add an automated check that will abort
> the kernel preparation and build when such changes exist without a
> justification.
>
> [Test Plan]
>
> Check if the kernel preparation fails (cranky close) when any of the files
> specified by `crypto_files` is changed.
>
> [Where problems could occur]
>
> No kernels should be affected unless we enable this check by setting
> `do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is
> already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable
> is set to true, that only affects the kernel preparation and not the
> resulting kernel.
>
> Marcelo Henrique Cerri (1):
> UBUNTU: [Packaging] Add a new fips-checks script
>
> debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
> 1 file changed, 138 insertions(+)
> create mode 100755 debian/scripts/misc/fips-checks
>
LGMT, but what about lunar?
Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>
More information about the kernel-team
mailing list