| Message ID | 20240326185335.44175-1-magali.lemes@canonical.com |
|---|---|
| Headers | show |
| Series | Remove fips-checks script | expand |
On 26.03.24 19:52, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/2055083 > > [Impact] > > When producing a new version of some kernels, we need to check for changes that > might affect FIPS certs and justify why a commit was kept. For that, we have a > fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble. > > This script has been moved to `cranky`[1], so now there is no need to have this > script in the kernel Git trees as well. > > [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca > > [Fix] > > Remove the fips-checks script and its calls. > > [Test Plan] > > Prepare a kernel and ensure that the `cranky close` step runs without any > errors. > Particularly for FIPS kernels, we want to make sure that `cranky check-fips` > faithfully replaces the in-tree script: simulate crankying j:fips version > 5.15.0-100.110+fips1, where two commits that touch crypto code are added, with > this patch on top. For this version, we'll also need to add the list of files > we're interested in inspecting, as the check-fips script in cranky relies on > that. > * Test that the script in cranky complains about the crypto commits if they're > not justified or reverted; > * Revert one of those commits and check that the cranky script does not > complain about that one; > * Justify one of the commits (in debian.fips/fips/justifications) and check > that the cranky script does not complain. > > [Where problems could occur] > > This only affects the preparation of FIPS kernels and not the kernel final > binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle > relying on `cranky check-fips` to ensure that we have it working well on the > cranky side too. If any problem occurs, we can fix the script directly in its > new location in `cranky` now. > > Magali Lemes (1): > UBUNTU: [Packaging] Remove fips-checks script > > debian/rules.d/0-common-vars.mk | 3 - > debian/rules.d/1-maintainer.mk | 3 - > debian/scripts/misc/fips-checks | 138 -------------------------------- > 3 files changed, 144 deletions(-) > delete mode 100755 debian/scripts/misc/fips-checks > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 26/03/2024 19:52, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/2055083 > > [Impact] > > When producing a new version of some kernels, we need to check for changes that > might affect FIPS certs and justify why a commit was kept. For that, we have a > fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble. > > This script has been moved to `cranky`[1], so now there is no need to have this > script in the kernel Git trees as well. > > [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca > > [Fix] > > Remove the fips-checks script and its calls. > > [Test Plan] > > Prepare a kernel and ensure that the `cranky close` step runs without any > errors. > Particularly for FIPS kernels, we want to make sure that `cranky check-fips` > faithfully replaces the in-tree script: simulate crankying j:fips version > 5.15.0-100.110+fips1, where two commits that touch crypto code are added, with > this patch on top. For this version, we'll also need to add the list of files > we're interested in inspecting, as the check-fips script in cranky relies on > that. > * Test that the script in cranky complains about the crypto commits if they're > not justified or reverted; > * Revert one of those commits and check that the cranky script does not > complain about that one; > * Justify one of the commits (in debian.fips/fips/justifications) and check > that the cranky script does not complain. > > [Where problems could occur] > > This only affects the preparation of FIPS kernels and not the kernel final > binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle > relying on `cranky check-fips` to ensure that we have it working well on the > cranky side too. If any problem occurs, we can fix the script directly in its > new location in `cranky` now. > > Magali Lemes (1): > UBUNTU: [Packaging] Remove fips-checks script > > debian/rules.d/0-common-vars.mk | 3 - > debian/rules.d/1-maintainer.mk | 3 - > debian/scripts/misc/fips-checks | 138 -------------------------------- > 3 files changed, 144 deletions(-) > delete mode 100755 debian/scripts/misc/fips-checks > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 26.03.24 19:52, Magali Lemes wrote: > BugLink: https://bugs.launchpad.net/bugs/2055083 > > [Impact] > > When producing a new version of some kernels, we need to check for changes that > might affect FIPS certs and justify why a commit was kept. For that, we have a > fips-checks script that lives under debian/ in Focal, Jammy, Mantic and Noble. > > This script has been moved to `cranky`[1], so now there is no need to have this > script in the kernel Git trees as well. > > [1] https://git.launchpad.net/~canonical-kernel/+git/kteam-tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca > > [Fix] > > Remove the fips-checks script and its calls. > > [Test Plan] > > Prepare a kernel and ensure that the `cranky close` step runs without any > errors. > Particularly for FIPS kernels, we want to make sure that `cranky check-fips` > faithfully replaces the in-tree script: simulate crankying j:fips version > 5.15.0-100.110+fips1, where two commits that touch crypto code are added, with > this patch on top. For this version, we'll also need to add the list of files > we're interested in inspecting, as the check-fips script in cranky relies on > that. > * Test that the script in cranky complains about the crypto commits if they're > not justified or reverted; > * Revert one of those commits and check that the cranky script does not > complain about that one; > * Justify one of the commits (in debian.fips/fips/justifications) and check > that the cranky script does not complain. > > [Where problems could occur] > > This only affects the preparation of FIPS kernels and not the kernel final > binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle > relying on `cranky check-fips` to ensure that we have it working well on the > cranky side too. If any problem occurs, we can fix the script directly in its > new location in `cranky` now. > > Magali Lemes (1): > UBUNTU: [Packaging] Remove fips-checks script > > debian/rules.d/0-common-vars.mk | 3 - > debian/rules.d/1-maintainer.mk | 3 - > debian/scripts/misc/fips-checks | 138 -------------------------------- > 3 files changed, 144 deletions(-) > delete mode 100755 debian/scripts/misc/fips-checks > Applied to mantic,jammy,focal:linux/master-next. Thanks. -Stefan
On Tue, Mar 26, 2024 at 03:52:37PM -0300, Magali Lemes wrote:
> BugLink: https://bugs.launchpad.net/bugs/2055083