ACK: [SRU][J/M][PATCH 0/1] UBUNTU: [Packaging] Check for relevant changes for security certifications
Magali Lemes do Sacramento
magali.lemes.do.sacramento at canonical.com
Fri Sep 1 12:50:25 UTC 2023
On 01/09/2023 05:32, Roxana Nicolescu wrote:
>
> On 31/08/2023 18:05, Magali Lemes wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1945989
>>
>> [Impact]
>>
>> When producing a new version of some kernels, we need to check for
>> changes that might affect FIPS or other certs and justify why a commit
>> was kept or removed.
>>
>> To simplify this process we can add an automated check that will abort
>> the kernel preparation and build when such changes exist without a
>> justification.
>>
>> [Test Plan]
>>
>> Check if the kernel preparation fails (cranky close) when any of the
>> files
>> specified by `crypto_files` is changed.
>>
>> [Where problems could occur]
>>
>> No kernels should be affected unless we enable this check by setting
>> `do_fips_checks` to true. In the generic Jammy kernel,
>> `do_fips_checks` is
>> already set to false in `debian/rules.d/0-common-vars.mk`. Even if the
>> variable
>> is set to true, that only affects the kernel preparation and not the
>> resulting kernel.
>>
>> Marcelo Henrique Cerri (1):
>> UBUNTU: [Packaging] Add a new fips-checks script
>>
>> debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
>> 1 file changed, 138 insertions(+)
>> create mode 100755 debian/scripts/misc/fips-checks
>>
>
> LGMT, but what about lunar?
We only have FIPS kernels based on LTS kernels. I sent this to Mantic
too so that the next LTS kernel carries this script.
>
> Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>
>
More information about the kernel-team
mailing list