Ubuntu
linux-signed package

ARM64 signed linux-images packages have arbitrary timestamp

Bug #2045684 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-signed (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

ARM64 signed linux-images packages encode arbitrary timestamp

$ file /boot/vmlinuz-6.6.0-14-generic
/boot/vmlinuz-6.6.0-14-generic: gzip compressed data, was "vmlinuz-6.6.0-14-generic.efi.signed", last modified: Fri Dec 1 18:54:57 2023, max compression, from Unix, original size modulo 2^32 56127880

Note that original filename and timestamp are encoded in the gzip content header which is not reproducible and not roundtrip safe. This make it difficult to do gymnastics to convert for linux linux-unsgined, to linux-signed, to kernel.efi, and back and preserve the same checksum or HMAC of the file, as needed by FIPS or just pure curiosity to confirm that the kernel image is the same across all image formats we ship.

The fix is to use -n (--no-name) option to gzip to compress the file without filename nor timestamp.

$ file linux-image/boot/vmlinuz-6.6.0-14-generic.new
/boot/vmlinuz-6.6.0-14-generic.new: gzip compressed data, max compression, from Unix, original size modulo 2^32 56127880

See original description
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

https://lists.ubuntu.com/archives/kernel-team/2023-December/147467.html

description: updated
Changed in linux-signed (Ubuntu):
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 6.8.0-11.11

---------------
linux-signed (6.8.0-11.11) noble; urgency=medium

  * Main version: 6.8.0-11.11

  * Miscellaneous Ubuntu changes
    - debian/tracking-bug -- update from main

 -- Paolo Pisati <email address hidden> Wed, 14 Feb 2024 00:04:58 +0100

Changed in linux-signed (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.