[SRU][Focal/Jammy/Mantic/Noble][PATCH 0/1] Remove fips-checks script
Magali Lemes
magali.lemes at canonical.com
Tue Mar 26 18:52:37 UTC 2024
BugLink: https://bugs.launchpad.net/bugs/2055083
[Impact]
When producing a new version of some kernels, we need to check for changes that
might affect FIPS certs and justify why a commit was kept. For that, we have a
fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble.
This script has been moved to `cranky`[1], so now there is no need to have this
script in the kernel Git trees as well.
[1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca
[Fix]
Remove the fips-checks script and its calls.
[Test Plan]
Prepare a kernel and ensure that the `cranky close` step runs without any
errors.
Particularly for FIPS kernels, we want to make sure that `cranky check-fips`
faithfully replaces the in-tree script: simulate crankying j:fips version
5.15.0-100.110+fips1, where two commits that touch crypto code are added, with
this patch on top. For this version, we'll also need to add the list of files
we're interested in inspecting, as the check-fips script in cranky relies on
that.
* Test that the script in cranky complains about the crypto commits if they're
not justified or reverted;
* Revert one of those commits and check that the cranky script does not
complain about that one;
* Justify one of the commits (in debian.fips/fips/justifications) and check
that the cranky script does not complain.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel final
binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle
relying on `cranky check-fips` to ensure that we have it working well on the
cranky side too. If any problem occurs, we can fix the script directly in its
new location in `cranky` now.
Magali Lemes (1):
UBUNTU: [Packaging] Remove fips-checks script
debian/rules.d/0-common-vars.mk | 3 -
debian/rules.d/1-maintainer.mk | 3 -
debian/scripts/misc/fips-checks | 138 --------------------------------
3 files changed, 144 deletions(-)
delete mode 100755 debian/scripts/misc/fips-checks
--
2.43.0
More information about the kernel-team
mailing list