ACK: [SRU][Focal/Jammy/Mantic/Noble][PATCH 0/1] Remove fips-checks script
Stefan Bader
stefan.bader at canonical.com
Wed Mar 27 16:09:35 UTC 2024
On 26.03.24 19:52, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/2055083
>
> [Impact]
>
> When producing a new version of some kernels, we need to check for changes that
> might affect FIPS certs and justify why a commit was kept. For that, we have a
> fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble.
>
> This script has been moved to `cranky`[1], so now there is no need to have this
> script in the kernel Git trees as well.
>
> [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca
>
> [Fix]
>
> Remove the fips-checks script and its calls.
>
> [Test Plan]
>
> Prepare a kernel and ensure that the `cranky close` step runs without any
> errors.
> Particularly for FIPS kernels, we want to make sure that `cranky check-fips`
> faithfully replaces the in-tree script: simulate crankying j:fips version
> 5.15.0-100.110+fips1, where two commits that touch crypto code are added, with
> this patch on top. For this version, we'll also need to add the list of files
> we're interested in inspecting, as the check-fips script in cranky relies on
> that.
> * Test that the script in cranky complains about the crypto commits if they're
> not justified or reverted;
> * Revert one of those commits and check that the cranky script does not
> complain about that one;
> * Justify one of the commits (in debian.fips/fips/justifications) and check
> that the cranky script does not complain.
>
> [Where problems could occur]
>
> This only affects the preparation of FIPS kernels and not the kernel final
> binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle
> relying on `cranky check-fips` to ensure that we have it working well on the
> cranky side too. If any problem occurs, we can fix the script directly in its
> new location in `cranky` now.
>
> Magali Lemes (1):
> UBUNTU: [Packaging] Remove fips-checks script
>
> debian/rules.d/0-common-vars.mk | 3 -
> debian/rules.d/1-maintainer.mk | 3 -
> debian/scripts/misc/fips-checks | 138 --------------------------------
> 3 files changed, 144 deletions(-)
> delete mode 100755 debian/scripts/misc/fips-checks
>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240327/4a1f1174/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240327/4a1f1174/attachment-0001.sig>
More information about the kernel-team
mailing list