This bug is awaiting verification that the linux/5.4.0-90.101 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
