Comment 0 for bug 2055083
Revision history for this message
| Magali Lemes do Sacramento (magalilemes) wrote Make fips-check script aware of commit reverts | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
[Impact]
When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept.
Currently there is a fips-check script that complains whenever a commit with crypto-related changes is found without any justification. However, this script does not account for cases where these commits are reverted and will fail even in these cases.
[Fix]
After finding the commits that touch crypto source, also look for commits that revert them.
[Test Plan]
Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two commits that touch crypto source. Revert those commits (and do not forget to follow the convention of adding `UBUNTU: SAUCE` to the commit subject). Proceed to prepare the kernel, and at the `cranky close` step, confirm that it can be run without any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel final binary.