APPLIED: [unstable/linux-signed][PATCH] Remove arbitrary timestamp and filename from ARM64 signed linux-image
Andrea Righi
andrea.righi at canonical.com
Tue Jan 2 12:03:54 UTC 2024
On Tue, Dec 05, 2023 at 06:35:54PM +0000, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/2045684
>
> $ file /boot/vmlinuz-6.6.0-14-generic
> /boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was
> "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1
> 18:54:57 2023, max compression, from Unix, original size modulo 2^32
> 56127880
>
> Note that original filename and timestamp are encoded in the gzip
> content header which is not reproducible and not roundtrip safe. This
> make it difficult to do gymnastics to convert for linux
> linux-unsgined, to linux-signed, to kernel.efi, and back and preserve
> the same checksum or HMAC of the file, as needed by FIPS or just pure
> curiosity to confirm that the kernel image is the same across all
> image formats we ship.
>
> The fix is to use -n (--no-name) option to gzip to compress the file
> without filename nor timestamp.
>
> $ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
> /boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max
> compression, from Unix, original size modulo 2^32 56127880
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Applied to noble/linux-unstable, thanks!
-Andrea
> ---
> debian/rules | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/debian/rules b/debian/rules
> index 01339d8348..236a1293d0 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -67,7 +67,7 @@ override_dh_auto_build:
> vars="$${base}.efi.vars"; \
> [ -f "$$vars" ] && . "./$$vars"; \
> if [ "$$GZIP" = "1" ]; then \
> - gzip -9 "$$s"; \
> + gzip -9 -n "$$s"; \
> mv "$${s}.gz" "$$s"; \
> fi; \
> ); \
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list