[Kernel-packages] [Bug 1918134] [NEW] LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing key

[Andy Whitcroft]

Public bug reported:

To allow decoupling of nvidia-graphics-drivers-<version> streams and
versions from the underlying kernel versions we wish to be able to sign
new kernel modules into an existing kernel after the fact.  Under bug
#1898716 we added support for an Ubuntu Modules signing key certificate.
Rebuild the LRM package to make use of this new signature.

This involves splitting the LRM package into three.  linux-restricted-
modules first builds the nvidia-graphics-drivers-* we require signed.
linux-restricted-generate then consumes the .o's produced in that build
and forms a signing custom binary upload for this.  linux-restricted-
signatures then consumes the signing result from the LRG upload and
expresses clean redistributible signatures which are consumed by LRM at
installation time.  LRG must be embargoed as it (necessarily) generates
fully formed .ko files for signing.

Additional process is added to the kernel build life-cycle to handle the
privacy requirements of the LRG/LRS interaction.

** Affects: linux-restricted-modules (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-restricted-modules in Ubuntu.
https://bugs.launchpad.net/bugs/1918134

Title:
  LRMv4: switch to signing nvidia modules via the Ubuntu Modules signing
  key

Status in linux-restricted-modules package in Ubuntu:
  New

Bug description:
  To allow decoupling of nvidia-graphics-drivers-<version> streams and
  versions from the underlying kernel versions we wish to be able to
  sign new kernel modules into an existing kernel after the fact.  Under
  bug #1898716 we added support for an Ubuntu Modules signing key
  certificate.  Rebuild the LRM package to make use of this new
  signature.

  This involves splitting the LRM package into three.  linux-restricted-
  modules first builds the nvidia-graphics-drivers-* we require signed.
  linux-restricted-generate then consumes the .o's produced in that
  build and forms a signing custom binary upload for this.  linux-
  restricted-signatures then consumes the signing result from the LRG
  upload and expresses clean redistributible signatures which are
  consumed by LRM at installation time.  LRG must be embargoed as it
  (necessarily) generates fully formed .ko files for signing.

  Additional process is added to the kernel build life-cycle to handle
  the privacy requirements of the LRG/LRS interaction.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules/+bug/1918134/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp