Public bug reported: [Impact]
When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept. Currently there is a fips-check script that complains whenever a commit with crypto-related changes is found without any justification. However, this script does not account for cases where these commits are reverted and will fail even in these cases. [Fix] After finding the commits that touch crypto source, also look for commits that revert them. [Test Plan] Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two commits that touch crypto source. Revert those commits (and do not forget to follow the convention of adding `UBUNTU: SAUCE` to the commit subject). Proceed to prepare the kernel, and at the `cranky close` step, confirm that it can be run without any errors. [Where problems could occur] This only affects the preparation of FIPS kernels and not the kernel final binary. ** Affects: linux (Ubuntu) Importance: Medium Assignee: Magali Lemes do Sacramento (magalilemes) Status: In Progress ** Affects: linux (Ubuntu Jammy) Importance: Medium Assignee: Magali Lemes do Sacramento (magalilemes) Status: In Progress ** Affects: linux (Ubuntu Noble) Importance: Medium Assignee: Magali Lemes do Sacramento (magalilemes) Status: In Progress ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Jammy) Assignee: (unassigned) => Magali Lemes do Sacramento (magalilemes) ** Changed in: linux (Ubuntu Noble) Assignee: (unassigned) => Magali Lemes do Sacramento (magalilemes) ** Changed in: linux (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Noble) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Jammy) Status: New => In Progress ** Changed in: linux (Ubuntu Noble) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2055083 Title: Make fips-check script aware of commit reverts Status in linux package in Ubuntu: In Progress Status in linux source package in Jammy: In Progress Status in linux source package in Noble: In Progress Bug description: [Impact] When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept. Currently there is a fips-check script that complains whenever a commit with crypto-related changes is found without any justification. However, this script does not account for cases where these commits are reverted and will fail even in these cases. [Fix] After finding the commits that touch crypto source, also look for commits that revert them. [Test Plan] Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two commits that touch crypto source. Revert those commits (and do not forget to follow the convention of adding `UBUNTU: SAUCE` to the commit subject). Proceed to prepare the kernel, and at the `cranky close` step, confirm that it can be run without any errors. [Where problems could occur] This only affects the preparation of FIPS kernels and not the kernel final binary. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055083/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp