[SRU][J/M][PATCH v2 0/1] UBUNTU: [Packaging] Check for relevant changes for security certifications

[Magali Lemes]

BugLink: https://bugs.launchpad.net/bugs/1945989

[Impact]

When producing a new version of some kernels, we need to check for
changes that might affect FIPS or other certs and justify why a commit
was kept or removed.

To simplify this process we can add an automated check that will abort
the kernel preparation and build when such changes exist without a
justification.

[Test Plan]

Check if the kernel preparation fails (cranky close) when any of the files
specified by `crypto_files` is changed.

[Where problems could occur]

No kernels should be affected unless we enable this check by setting
`do_fips_checks` to true. In the generic Jammy kernel, `do_fips_checks` is
already set to false in `debian/rules.d/0-common-vars.mk`. Even if the variable
is set to true, that only affects the kernel preparation and not the
resulting kernel.

[Other Info]

Changes in v2:
 - `tag_prefix` was set based on the $DEBIAN_MASTER folder name, such that for
 for first order derivatives the tag prefix would be `Ubuntu-master-*`. Fix
 this by relying on the package name from $DEBIAN_MASTER/changelog instead.

Marcelo Henrique Cerri (1):
  UBUNTU: [Packaging] Add a new fips-checks script

 debian/scripts/misc/fips-checks | 139 ++++++++++++++++++++++++++++++++
 1 file changed, 139 insertions(+)
 create mode 100755 debian/scripts/misc/fips-checks

-- 
2.34.1