[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates

Mon, 15 Nov 2021 06:21:04 -0800 

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1947174

Title:
  Add final-checks to check certificates

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Focal:
  Fix Released
Status in linux source package in Hirsute:
  Fix Released
Status in linux source package in Impish:
  Fix Released

Bug description:
  [Impact]

   * As part of landing builtin revocation certificates work
  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has
  been identified that many kernels do not correct enforce newly enfoced
  keys in the derivative flavours. I.e. due to annotations not importing
  parent annotations, due to not having do_enforce_all, or using older
  formats of annotations files.

   * As part fips validation work final-checks got added to check and
  assert that correct things are turned on.

   * It has been agreed that having a final-check for builtin system
  trusted & revocation certificates would be a good thing. If packaging
  declares that certain certificates should be built-in trusted or
  revoked, the kernel must be configured pointing at the packaging
  generated .pem bundle in the config.

  [Test Plan]

   * Kernel should build
   * If trusted or revocation are configured in packaging but the config option 
is misconfigured (i.e. typo or not set), the kernel build and cranky close 
should fail

  
  [Where problems could occur]

   * This is a packaging change only, thus may result in valid kernels
  ftbfs but should be easy to rectify.

  [Other Info]
   
   * Also see

  https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029

  and kernels that derived from a primary kernel that had that fixed,
  and the subsequently failed boot testing due to not enabling those
  options.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to