Public bug reported: [Impact]
* As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Incomplete Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
