** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Impish)
Importance: Undecided
Status: Incomplete
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Hirsute)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Impish)
Status: Incomplete => In Progress
** Changed in: linux (Ubuntu Hirsute)
Status: New => In Progress
** Changed in: linux (Ubuntu Focal)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Focal)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Hirsute)
Status: In Progress => Fix Committed
** Changed in: linux (Ubuntu Impish)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1947174
Title:
Add final-checks to check certificates
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Hirsute:
Fix Committed
Status in linux source package in Impish:
Fix Committed
Bug description:
[Impact]
* As part of landing builtin revocation certificates work
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has
been identified that many kernels do not correct enforce newly enfoced
keys in the derivative flavours. I.e. due to annotations not importing
parent annotations, due to not having do_enforce_all, or using older
formats of annotations files.
* As part fips validation work final-checks got added to check and
assert that correct things are turned on.
* It has been agreed that having a final-check for builtin system
trusted & revocation certificates would be a good thing. If packaging
declares that certain certificates should be built-in trusted or
revoked, the kernel must be configured pointing at the packaging
generated .pem bundle in the config.
[Test Plan]
* Kernel should build
* If trusted or revocation are configured in packaging but the config option
is misconfigured (i.e. typo or not set), the kernel build and cranky close
should fail
[Where problems could occur]
* This is a packaging change only, thus may result in valid kernels
ftbfs but should be easy to rectify.
[Other Info]
* Also see
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029
and kernels that derived from a primary kernel that had that fixed,
and the subsequently failed boot testing due to not enabling those
options.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
