Public bug reported:
[Impact]
When producing a new version of some kernels, we need to check for
changes that might affect FIPS certs and justify why a commit was kept.
Currently there is a fips-check script that complains whenever a commit
with crypto-related changes is found without any justification. However,
this script does not account for cases where these commits are reverted
and will fail even in these cases.
[Fix]
After finding the commits that touch crypto source, also look for
commits that revert them.
[Test Plan]
Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two
commits that touch crypto source. Revert those commits (and do not
forget to follow the convention of adding `UBUNTU: SAUCE` to the commit
subject). Proceed to prepare the kernel, and at the `cranky close` step,
confirm that it can be run without any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel
final binary.
** Affects: linux (Ubuntu)
Importance: Medium
Assignee: Magali Lemes do Sacramento (magalilemes)
Status: In Progress
** Affects: linux (Ubuntu Jammy)
Importance: Medium
Assignee: Magali Lemes do Sacramento (magalilemes)
Status: In Progress
** Affects: linux (Ubuntu Noble)
Importance: Medium
Assignee: Magali Lemes do Sacramento (magalilemes)
Status: In Progress
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Noble)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Jammy)
Assignee: (unassigned) => Magali Lemes do Sacramento (magalilemes)
** Changed in: linux (Ubuntu Noble)
Assignee: (unassigned) => Magali Lemes do Sacramento (magalilemes)
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Noble)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Jammy)
Status: New => In Progress
** Changed in: linux (Ubuntu Noble)
Status: New => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2055083
Title:
Make fips-check script aware of commit reverts
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Jammy:
In Progress
Status in linux source package in Noble:
In Progress
Bug description:
[Impact]
When producing a new version of some kernels, we need to check for
changes that might affect FIPS certs and justify why a commit was
kept.
Currently there is a fips-check script that complains whenever a
commit with crypto-related changes is found without any justification.
However, this script does not account for cases where these commits
are reverted and will fail even in these cases.
[Fix]
After finding the commits that touch crypto source, also look for
commits that revert them.
[Test Plan]
Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces
two commits that touch crypto source. Revert those commits (and do not
forget to follow the convention of adding `UBUNTU: SAUCE` to the
commit subject). Proceed to prepare the kernel, and at the `cranky
close` step, confirm that it can be run without any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel
final binary.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055083/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
