ACK: [SRU][Focal/Jammy/Mantic/Noble][PATCH 0/1] Remove fips-checks script

Stefan Bader stefan.bader at canonical.com
Wed Mar 27 16:09:35 UTC 2024 

On 26.03.24 19:52, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/2055083
> 
> [Impact]
> 
> When producing a new version of some kernels, we need to check for changes that
> might affect FIPS certs and justify why a commit was kept. For that, we have a
> fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble.
> 
> This script has been moved to `cranky`[1], so now there is no need to have this
> script in the kernel Git trees as well.
> 
> [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca
> 
> [Fix]
> 
> Remove the fips-checks script and its calls.
> 
> [Test Plan]
> 
> Prepare a kernel and ensure that the `cranky close` step runs without any
> errors.
> Particularly for FIPS kernels, we want to make sure that `cranky check-fips`
> faithfully replaces the in-tree script: simulate crankying j:fips version
> 5.15.0-100.110+fips1, where two commits that touch crypto code are added, with
> this patch on top. For this version, we'll also need to add the list of files
> we're interested in inspecting, as the check-fips script in cranky relies on
> that.
> * Test that the script in cranky complains about the crypto commits if they're
>    not justified or reverted;
> * Revert one of those commits and check that the cranky script does not
>    complain about that one;
> * Justify one of the commits (in debian.fips/fips/justifications) and check
>    that the cranky script does not complain.
> 
> [Where problems could occur]
> 
> This only affects the preparation of FIPS kernels and not the kernel final
> binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle
> relying on `cranky check-fips` to ensure that we have it working well on the
> cranky side too. If any problem occurs, we can fix the script directly in its
> new location in `cranky` now.
> 
> Magali Lemes (1):
>    UBUNTU: [Packaging] Remove fips-checks script
> 
>   debian/rules.d/0-common-vars.mk |   3 -
>   debian/rules.d/1-maintainer.mk  |   3 -
>   debian/scripts/misc/fips-checks | 138 --------------------------------
>   3 files changed, 144 deletions(-)
>   delete mode 100755 debian/scripts/misc/fips-checks
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240327/4a1f1174/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240327/4a1f1174/attachment-0001.sig>

More information about the kernel-team mailing list