[B,F,I,1/2] UBUNTU: [Packaging] Add a new fips-checks script

BugLink: https://bugs.launchpad.net/bugs/1945989

Add a new script responsible for checking if any FIPS relevant commit
was added since the last version. If a new change is found, a
corresponding entry should exist in the justifications file otherwise
the check will fail.

The justifications file is located at "${DEBIAN}/fips.justifications"
and should follow the following format for each commit justification:

<commit short message>

  <commit justification>

Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
---
 debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
 1 file changed, 138 insertions(+)
 create mode 100755 debian/scripts/misc/fips-checks

<bikeshedding/>

Since this is intended for master kernels, how about generalizing the 
nomenclature ? For example, instead of do_fips_checks, how about 
do_justification_checks ? And debian/scripts/misc/fips-checks --> 
debian/scripts/misc/justification-checks ? I know this is likely to only 
ever be used for FIPS, but you never know.

</bikeshedding>

On 10/4/21 7:35 AM, Marcelo Henrique Cerri wrote:
> BugLink: https://bugs.launchpad.net/bugs/1945989
> 
> Add a new script responsible for checking if any FIPS relevant commit
> was added since the last version. If a new change is found, a
> corresponding entry should exist in the justifications file otherwise
> the check will fail.
> 
> The justifications file is located at "${DEBIAN}/fips.justifications"
> and should follow the following format for each commit justification:
> 
> <commit short message>
> 
>    <commit justification>
> 
> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
> ---
>   debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
>   1 file changed, 138 insertions(+)
>   create mode 100755 debian/scripts/misc/fips-checks
> 
> diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks
> new file mode 100755
> index 000000000000..9dadd3939a62
> --- /dev/null
> +++ b/debian/scripts/misc/fips-checks
> @@ -0,0 +1,138 @@
> +#!/bin/bash -eu
> +export LC_ALL=C.UTF-8
> +
> +usage() {
> +	cat << EOF
> +Usage: ${P:-$(basename "$0")} [-h|--help]
> +
> +Check if there are any FIPS relevant changes since the last
> +release. Any change that is identified should have a justification in
> +the justifications file or the check will fail.
> +
> +Optional arguments:
> +  -h, --help            Show this help message and exit.
> +  -p, --previous        Version to use as the previous base version.
> +  -c, --current         Version to use as the current base version.
> +
> +EOF
> +}
> +
> +prev_base_version=
> +curr_base_version=
> +crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )
> +
> +c_red='\033[0;31m'
> +c_green='\033[0;32m'
> +c_off='\033[0m'
> +
> +# Parse arguments
> +while [ "$#" -gt 0 ]; do
> +	case "$1" in
> +		-h|--help)
> +			usage
> +			exit 0
> +			;;
> +		-p|--previous)
> +			shift
> +			prev_base_version="$1"
> +			;;
> +		-c|--current)
> +			shift
> +			curr_base_version="$1"
> +			;;
> +		*)
> +			usage
> +			exit 1
> +			;;
> +	esac
> +	shift
> +done
> +
> +DEBIAN=
> +# shellcheck disable=SC1091
> +. debian/debian.env
> +
> +# Check if the "$DEBIAN" directory exists.
> +if [ ! -d "$DEBIAN" ]; then
> +	echo "You must run this script from the top directory of this repository."
> +	exit 1
> +fi
> +
> +CONF="$DEBIAN/etc/update.conf"
> +if [ ! -f "$CONF" ]; then
> +	echo "Missing file: $CONF"
> +	exit 1
> +fi
> +# shellcheck disable=SC1090
> +. "$CONF"
> +
> +if [ "$DEBIAN_MASTER" = "" ]; then
> +	echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment"
> +	exit 1
> +fi
> +
> +# Find the base kernel version use by the previous version
> +if [ -z "$prev_base_version" ]; then
> +	offset=1
> +	# Loop through each entry of the current changelog, searching for an
> +	# entry that refers to the master version used as base (ie a line
> +	# containing "[ Ubuntu: 4.15.0-39.42 ]"):
> +	while true; do
> +		changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset")
> +		if ! [ "$changes" ]; then
> +			echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog"
> +			exit 1
> +		fi
> +		prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}')
> +		[ "$prev_base_version" ] && break
> +		offset=$(( offset + 1 ))
> +	done
> +	if [ -z "${prev_base_version}" ]; then
> +		echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog"
> +		exit 1
> +	fi
> +fi
> +
> +# Find the current base kernel version
> +if [ -z "$curr_base_version" ]; then
> +	curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion)
> +	if ! [ "$curr_base_version" ]; then
> +		echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog"
> +		exit 1
> +	fi
> +fi
> +
> +# Check base kernel tags
> +tag_prefix="Ubuntu-${DEBIAN_MASTER#debian.}-"
> +prev_tag="${tag_prefix}${prev_base_version}"
> +curr_tag="${tag_prefix}${curr_base_version}"
> +for tag in "$prev_tag" "$curr_tag"; do
> +	if ! git rev-parse --verify "$tag" &> /dev/null; then
> +		echo "Missing tag \"$tag\". Please fetch tags from base kernel."
> +		exit 1
> +	fi
> +done
> +
> +# Check all the changes
> +fails=0
> +justifications_file="$DEBIAN/fips.justifications"
> +justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true)
> +while read -r id; do
> +	short_msg=$(git log --format=%s --max-count=1 "$id")
> +	if echo "$justifications" | grep -q -x -F "$short_msg"; then
> +		echo -e "${c_green}OK${c_off}   | ${id::12} ${short_msg}"
> +		continue
> +	fi
> +	echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}"
> +	fails=$(( fails + 1 ))
> +done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}")
> +
> +echo
> +if [ "$fails" -gt 0 ]; then
> +	echo "FIPS relevant changes were found without justification: ${fails} change(s)."
> +	echo "Please, check the commits above and update the file \"${justifications_file}\"."
> +	exit 1
> +fi
> +
> +echo "Check completed without errors."
> +exit 0
>

On Mon, Oct 04, 2021 at 08:21:27AM -0600, Tim Gardner wrote:
> <bikeshedding/>
> 
> Since this is intended for master kernels, how about generalizing the
> nomenclature ? For example, instead of do_fips_checks, how about
> do_justification_checks ? And debian/scripts/misc/fips-checks -->
> debian/scripts/misc/justification-checks ? I know this is likely to only
> ever be used for FIPS, but you never know.

We could make it more generic, but we would also need to make it
possible to customize the crypto files it's checking. This part:

crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )

I'm not sure if that's worth it.


> 
> </bikeshedding>
> 
> On 10/4/21 7:35 AM, Marcelo Henrique Cerri wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1945989
> > 
> > Add a new script responsible for checking if any FIPS relevant commit
> > was added since the last version. If a new change is found, a
> > corresponding entry should exist in the justifications file otherwise
> > the check will fail.
> > 
> > The justifications file is located at "${DEBIAN}/fips.justifications"
> > and should follow the following format for each commit justification:
> > 
> > <commit short message>
> > 
> >    <commit justification>
> > 
> > Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
> > ---
> >   debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
> >   1 file changed, 138 insertions(+)
> >   create mode 100755 debian/scripts/misc/fips-checks
> > 
> > diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks
> > new file mode 100755
> > index 000000000000..9dadd3939a62
> > --- /dev/null
> > +++ b/debian/scripts/misc/fips-checks
> > @@ -0,0 +1,138 @@
> > +#!/bin/bash -eu
> > +export LC_ALL=C.UTF-8
> > +
> > +usage() {
> > +	cat << EOF
> > +Usage: ${P:-$(basename "$0")} [-h|--help]
> > +
> > +Check if there are any FIPS relevant changes since the last
> > +release. Any change that is identified should have a justification in
> > +the justifications file or the check will fail.
> > +
> > +Optional arguments:
> > +  -h, --help            Show this help message and exit.
> > +  -p, --previous        Version to use as the previous base version.
> > +  -c, --current         Version to use as the current base version.
> > +
> > +EOF
> > +}
> > +
> > +prev_base_version=
> > +curr_base_version=
> > +crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )
> > +
> > +c_red='\033[0;31m'
> > +c_green='\033[0;32m'
> > +c_off='\033[0m'
> > +
> > +# Parse arguments
> > +while [ "$#" -gt 0 ]; do
> > +	case "$1" in
> > +		-h|--help)
> > +			usage
> > +			exit 0
> > +			;;
> > +		-p|--previous)
> > +			shift
> > +			prev_base_version="$1"
> > +			;;
> > +		-c|--current)
> > +			shift
> > +			curr_base_version="$1"
> > +			;;
> > +		*)
> > +			usage
> > +			exit 1
> > +			;;
> > +	esac
> > +	shift
> > +done
> > +
> > +DEBIAN=
> > +# shellcheck disable=SC1091
> > +. debian/debian.env
> > +
> > +# Check if the "$DEBIAN" directory exists.
> > +if [ ! -d "$DEBIAN" ]; then
> > +	echo "You must run this script from the top directory of this repository."
> > +	exit 1
> > +fi
> > +
> > +CONF="$DEBIAN/etc/update.conf"
> > +if [ ! -f "$CONF" ]; then
> > +	echo "Missing file: $CONF"
> > +	exit 1
> > +fi
> > +# shellcheck disable=SC1090
> > +. "$CONF"
> > +
> > +if [ "$DEBIAN_MASTER" = "" ]; then
> > +	echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment"
> > +	exit 1
> > +fi
> > +
> > +# Find the base kernel version use by the previous version
> > +if [ -z "$prev_base_version" ]; then
> > +	offset=1
> > +	# Loop through each entry of the current changelog, searching for an
> > +	# entry that refers to the master version used as base (ie a line
> > +	# containing "[ Ubuntu: 4.15.0-39.42 ]"):
> > +	while true; do
> > +		changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset")
> > +		if ! [ "$changes" ]; then
> > +			echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog"
> > +			exit 1
> > +		fi
> > +		prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}')
> > +		[ "$prev_base_version" ] && break
> > +		offset=$(( offset + 1 ))
> > +	done
> > +	if [ -z "${prev_base_version}" ]; then
> > +		echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog"
> > +		exit 1
> > +	fi
> > +fi
> > +
> > +# Find the current base kernel version
> > +if [ -z "$curr_base_version" ]; then
> > +	curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion)
> > +	if ! [ "$curr_base_version" ]; then
> > +		echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog"
> > +		exit 1
> > +	fi
> > +fi
> > +
> > +# Check base kernel tags
> > +tag_prefix="Ubuntu-${DEBIAN_MASTER#debian.}-"
> > +prev_tag="${tag_prefix}${prev_base_version}"
> > +curr_tag="${tag_prefix}${curr_base_version}"
> > +for tag in "$prev_tag" "$curr_tag"; do
> > +	if ! git rev-parse --verify "$tag" &> /dev/null; then
> > +		echo "Missing tag \"$tag\". Please fetch tags from base kernel."
> > +		exit 1
> > +	fi
> > +done
> > +
> > +# Check all the changes
> > +fails=0
> > +justifications_file="$DEBIAN/fips.justifications"
> > +justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true)
> > +while read -r id; do
> > +	short_msg=$(git log --format=%s --max-count=1 "$id")
> > +	if echo "$justifications" | grep -q -x -F "$short_msg"; then
> > +		echo -e "${c_green}OK${c_off}   | ${id::12} ${short_msg}"
> > +		continue
> > +	fi
> > +	echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}"
> > +	fails=$(( fails + 1 ))
> > +done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}")
> > +
> > +echo
> > +if [ "$fails" -gt 0 ]; then
> > +	echo "FIPS relevant changes were found without justification: ${fails} change(s)."
> > +	echo "Please, check the commits above and update the file \"${justifications_file}\"."
> > +	exit 1
> > +fi
> > +
> > +echo "Check completed without errors."
> > +exit 0
> > 
> 
> -- 
> -----------
> Tim Gardner
> Canonical, Inc

Acked-by: Tim Gardner <tim.gardner@canonical.com>

On 10/4/21 8:55 AM, Marcelo Henrique Cerri wrote:
> On Mon, Oct 04, 2021 at 08:21:27AM -0600, Tim Gardner wrote:
>> <bikeshedding/>
>>
>> Since this is intended for master kernels, how about generalizing the
>> nomenclature ? For example, instead of do_fips_checks, how about
>> do_justification_checks ? And debian/scripts/misc/fips-checks -->
>> debian/scripts/misc/justification-checks ? I know this is likely to only
>> ever be used for FIPS, but you never know.
> 
> We could make it more generic, but we would also need to make it
> possible to customize the crypto files it's checking. This part:
> 
> crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )
> 
> I'm not sure if that's worth it.
> 
> 
>>
>> </bikeshedding>
>>
>> On 10/4/21 7:35 AM, Marcelo Henrique Cerri wrote:
>>> BugLink: https://bugs.launchpad.net/bugs/1945989
>>>
>>> Add a new script responsible for checking if any FIPS relevant commit
>>> was added since the last version. If a new change is found, a
>>> corresponding entry should exist in the justifications file otherwise
>>> the check will fail.
>>>
>>> The justifications file is located at "${DEBIAN}/fips.justifications"
>>> and should follow the following format for each commit justification:
>>>
>>> <commit short message>
>>>
>>>     <commit justification>
>>>
>>> Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
>>> ---
>>>    debian/scripts/misc/fips-checks | 138 ++++++++++++++++++++++++++++++++
>>>    1 file changed, 138 insertions(+)
>>>    create mode 100755 debian/scripts/misc/fips-checks
>>>
>>> diff --git a/debian/scripts/misc/fips-checks b/debian/scripts/misc/fips-checks
>>> new file mode 100755
>>> index 000000000000..9dadd3939a62
>>> --- /dev/null
>>> +++ b/debian/scripts/misc/fips-checks
>>> @@ -0,0 +1,138 @@
>>> +#!/bin/bash -eu
>>> +export LC_ALL=C.UTF-8
>>> +
>>> +usage() {
>>> +	cat << EOF
>>> +Usage: ${P:-$(basename "$0")} [-h|--help]
>>> +
>>> +Check if there are any FIPS relevant changes since the last
>>> +release. Any change that is identified should have a justification in
>>> +the justifications file or the check will fail.
>>> +
>>> +Optional arguments:
>>> +  -h, --help            Show this help message and exit.
>>> +  -p, --previous        Version to use as the previous base version.
>>> +  -c, --current         Version to use as the current base version.
>>> +
>>> +EOF
>>> +}
>>> +
>>> +prev_base_version=
>>> +curr_base_version=
>>> +crypto_files=( crypto arch/x86/crypto drivers/char/random.c lib/sha\* )
>>> +
>>> +c_red='\033[0;31m'
>>> +c_green='\033[0;32m'
>>> +c_off='\033[0m'
>>> +
>>> +# Parse arguments
>>> +while [ "$#" -gt 0 ]; do
>>> +	case "$1" in
>>> +		-h|--help)
>>> +			usage
>>> +			exit 0
>>> +			;;
>>> +		-p|--previous)
>>> +			shift
>>> +			prev_base_version="$1"
>>> +			;;
>>> +		-c|--current)
>>> +			shift
>>> +			curr_base_version="$1"
>>> +			;;
>>> +		*)
>>> +			usage
>>> +			exit 1
>>> +			;;
>>> +	esac
>>> +	shift
>>> +done
>>> +
>>> +DEBIAN=
>>> +# shellcheck disable=SC1091
>>> +. debian/debian.env
>>> +
>>> +# Check if the "$DEBIAN" directory exists.
>>> +if [ ! -d "$DEBIAN" ]; then
>>> +	echo "You must run this script from the top directory of this repository."
>>> +	exit 1
>>> +fi
>>> +
>>> +CONF="$DEBIAN/etc/update.conf"
>>> +if [ ! -f "$CONF" ]; then
>>> +	echo "Missing file: $CONF"
>>> +	exit 1
>>> +fi
>>> +# shellcheck disable=SC1090
>>> +. "$CONF"
>>> +
>>> +if [ "$DEBIAN_MASTER" = "" ]; then
>>> +	echo "DEBIAN_MASTER should be defined either in $DEBIAN/etc/update.conf or the environment"
>>> +	exit 1
>>> +fi
>>> +
>>> +# Find the base kernel version use by the previous version
>>> +if [ -z "$prev_base_version" ]; then
>>> +	offset=1
>>> +	# Loop through each entry of the current changelog, searching for an
>>> +	# entry that refers to the master version used as base (ie a line
>>> +	# containing "[ Ubuntu: 4.15.0-39.42 ]"):
>>> +	while true; do
>>> +		changes=$(dpkg-parsechangelog -l"$DEBIAN/changelog" -SChanges -c1 -o"$offset")
>>> +		if ! [ "$changes" ]; then
>>> +			echo "Failed to retrieve base master version from changelog file: $DEBIAN/changelog"
>>> +			exit 1
>>> +		fi
>>> +		prev_base_version=$(echo "$changes" | sed -n -r -e '/^\s.*\[ Ubuntu: ([~0-9.-]*) \]$/{s//\1/p;q}')
>>> +		[ "$prev_base_version" ] && break
>>> +		offset=$(( offset + 1 ))
>>> +	done
>>> +	if [ -z "${prev_base_version}" ]; then
>>> +		echo "Failed to retrieve base version from previous version from changelog: $DEBIAN/changelog"
>>> +		exit 1
>>> +	fi
>>> +fi
>>> +
>>> +# Find the current base kernel version
>>> +if [ -z "$curr_base_version" ]; then
>>> +	curr_base_version=$(dpkg-parsechangelog -l"${DEBIAN_MASTER}/changelog" -SVersion)
>>> +	if ! [ "$curr_base_version" ]; then
>>> +		echo "Failed to retrieve current master version from changelog: $DEBIAN_MASTER/changelog"
>>> +		exit 1
>>> +	fi
>>> +fi
>>> +
>>> +# Check base kernel tags
>>> +tag_prefix="Ubuntu-${DEBIAN_MASTER#debian.}-"
>>> +prev_tag="${tag_prefix}${prev_base_version}"
>>> +curr_tag="${tag_prefix}${curr_base_version}"
>>> +for tag in "$prev_tag" "$curr_tag"; do
>>> +	if ! git rev-parse --verify "$tag" &> /dev/null; then
>>> +		echo "Missing tag \"$tag\". Please fetch tags from base kernel."
>>> +		exit 1
>>> +	fi
>>> +done
>>> +
>>> +# Check all the changes
>>> +fails=0
>>> +justifications_file="$DEBIAN/fips.justifications"
>>> +justifications=$(grep -P '^[^#\s]' "$justifications_file" 2> /dev/null || true)
>>> +while read -r id; do
>>> +	short_msg=$(git log --format=%s --max-count=1 "$id")
>>> +	if echo "$justifications" | grep -q -x -F "$short_msg"; then
>>> +		echo -e "${c_green}OK${c_off}   | ${id::12} ${short_msg}"
>>> +		continue
>>> +	fi
>>> +	echo -e "${c_red}FAIL${c_off} | ${id::12} ${short_msg}"
>>> +	fails=$(( fails + 1 ))
>>> +done < <(git rev-list "${prev_tag}..${curr_tag}" -- "${crypto_files[@]}")
>>> +
>>> +echo
>>> +if [ "$fails" -gt 0 ]; then
>>> +	echo "FIPS relevant changes were found without justification: ${fails} change(s)."
>>> +	echo "Please, check the commits above and update the file \"${justifications_file}\"."
>>> +	exit 1
>>> +fi
>>> +
>>> +echo "Check completed without errors."
>>> +exit 0
>>>
>>
>> -- 
>> -----------
>> Tim Gardner
>> Canonical, Inc
>