** Description changed: For arm64 we want our default signed kernel to be bundled with stubble and dtbs. This bug tracks progress on the integration work needed. stubble will allow us to load device trees automatically as part of an EFI boot stub on Qualcomm Snapdragon laptops and have them signed/verified with UEFI secure boot. A more detailed explanation for how and why we plan this is available in the form of a spec at https://discourse.ubuntu.com/t/spec-stubble-a-secure-boot-friendly- device-tree-loading-efi-stub/66560 Status ====== [X] Package stubble - https://launchpad.net/ubuntu/+source/stubble (needs another update) [X] MIR - https://bugs.launchpad.net/ubuntu/+source/stubble/+bug/2120322 [X] Get signing request reviewed - https://github.com/rhboot/shim-review/issues/484 [X] Upload latest stubble changes [ ] Integrate into kernel build [ ] Drop flash-kernel dependency from ubuntu-x1*-settings [ ] Update debian-cd to remove dtb hacks - [ stubble FFe ] + [ stubble 4-0ubuntu2 FFe ] For convenience reasons we would like to add some of the kernel packaging/signing logic in the stubble package instead of putting it into linux-signed directly. This would include a new binary package including a kernel postinst script that builds a stubble bundled kernel. The new package pulled in by linux-signed as a dependency. While we are there I would also like to include a patch to hide a verbose error message in stubble behind the debug flag. The risk of the stubble upload itself should be pretty low since it is a new package that doesn't yet have any reverse dependencies. The planned changes are available in the upstream repo at https://github.com/ubuntu/stubble/tree/ubuntu/main PPA builds will be available in https://launchpad.net/~apw/+archive/ubuntu/signing/+packages where we test the entire kernel build + signing pipeline
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta in Ubuntu. https://bugs.launchpad.net/bugs/2121352 Title: [FFe] arm64: Build stubble kernel Status in linux-meta package in Ubuntu: New Status in linux-signed package in Ubuntu: New Status in stubble package in Ubuntu: New Status in linux-meta source package in Questing: New Status in linux-signed source package in Questing: New Status in stubble source package in Questing: New Bug description: For arm64 we want our default signed kernel to be bundled with stubble and dtbs. This bug tracks progress on the integration work needed. stubble will allow us to load device trees automatically as part of an EFI boot stub on Qualcomm Snapdragon laptops and have them signed/verified with UEFI secure boot. A more detailed explanation for how and why we plan this is available in the form of a spec at https://discourse.ubuntu.com/t/spec-stubble-a-secure-boot-friendly- device-tree-loading-efi-stub/66560 Status ====== [X] Package stubble - https://launchpad.net/ubuntu/+source/stubble (needs another update) [X] MIR - https://bugs.launchpad.net/ubuntu/+source/stubble/+bug/2120322 [X] Get signing request reviewed - https://github.com/rhboot/shim-review/issues/484 [X] Upload latest stubble changes [ ] Integrate into kernel build [ ] Drop flash-kernel dependency from ubuntu-x1*-settings [ ] Update debian-cd to remove dtb hacks [ stubble 4-0ubuntu2 FFe ] For convenience reasons we would like to add some of the kernel packaging/signing logic in the stubble package instead of putting it into linux-signed directly. This would include a new binary package including a kernel postinst script that builds a stubble bundled kernel. The new package pulled in by linux-signed as a dependency. While we are there I would also like to include a patch to hide a verbose error message in stubble behind the debug flag. The risk of the stubble upload itself should be pretty low since it is a new package that doesn't yet have any reverse dependencies. The planned changes are available in the upstream repo at https://github.com/ubuntu/stubble/tree/ubuntu/main PPA builds will be available in https://launchpad.net/~apw/+archive/ubuntu/signing/+packages where we test the entire kernel build + signing pipeline To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta/+bug/2121352/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
