** Summary changed: - Make fips-check script aware of commit reverts + Drop fips-check script from trees
** Description changed: [Impact] When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept. + For that, we have a fips-check script that lives under debian/ in Focal, + Jammy, Mantic and Noble. - Currently there is a fips-check script that complains whenever a commit - with crypto-related changes is found without any justification. However, - this script does not account for cases where these commits are reverted - and will fail even in these cases. + This script has been moved to `cranky`[1], so now there is no need to + have this script in the kernel Git trees as well. + + [1] https://git.launchpad.net/~canonical-kernel/+git/kteam- + tools/commit/?id=2ab9364d4b4c18bee7d835787d7dd11990103bca [Fix] - After finding the commits that touch crypto source, also look for - commits that revert them. + Remove the fips-check script and its calls. [Test Plan] - Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two - commits that touch crypto source. Revert those commits (and do not - forget to follow the convention of adding `UBUNTU: SAUCE` to the commit - subject). Proceed to prepare the kernel, and at the `cranky close` step, - confirm that it can be run without any errors. + Prepare a kernel and ensure that the `cranky close` step runs without + any errors. [Where problems could occur] - This only affects the preparation of FIPS kernels and not the kernel - final binary. + This only affects the preparation of FIPS kernels and not the kernel final binary. Moreover, I've prepared some FIPS kernels from the 2024.03.04 cycle relying on `cranky check-fips` to ensure that + we have it working well on the cranky side too. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055083 Title: Drop fips-check script from trees To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2055083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs