[trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

Andy Whitcroft-3
We are working up to enforcing kernel signatures out of shim/grub
by default and then we will rotate the EFI key.  The result of this
additional enforcement will be to make it significantly more problematic
on such systems if the signed kernel binary is not present.  Having this
held on by a separate meta package has proven problematic as it tends to
get pushed off most easily by apt.  In later series we have successfully
migrated to a signed-only kernel image.  This is used in both EFI secure
boot environments and unsigned alike; the signature being benign extra
data at the end of the kernel image.

All series bionic and later are already converted, this leaves trusty
and xenial needing remediation.  Only kernels offering signed images
need actual remediation.  I believe this is the following four kernels,
there are other signed kernels in trusty and xenial but those are all
based on later series and thus already remediated:

        xenial/linux
        trusty/linux-lts-xenial
        trusty/linux
        precise/linux-lts-trusty

At the bottom of this email are the three pull requests each for
xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
linux-meta for each.  For the primary kernel packages these carry two sets
of changes, firstly a block of change against LP: #1764794[1] which is the
conversion to signed-only kernels, and secondly a block of change against
LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
The linux-signed and linux-meta changes only relate to signed-only changes.

[1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
[2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380

I have decided to conflate these two together as both represent major
upheaval in the primary packaging and as such will require exactly the
same testing to validate.  It therefore seems reasonable to apply these
at the same time and handle any fallout in one hit.

I will prepare further pull requests for the trusty/linux-lts-xenial and
precise/linux-lts-trusty kernels and submit those shortly.  The changes
there should be much simpler in those as they share the primary packaging.
Other derivatives should (in theory) be unaffected by the packaging changes
as long as they do not support and enable signing in their configuration,
other than the need to add the retpoline headers to any existing ABI
information.  This will be familiar from application of the buildinfo
changes to later series.

I have done binary comparisons of the package contents for both xenial and
trusty for the signed-only changes.  I am waiting on test builds with the
additional buildinfo changes applied to recheck that has not regressed
package contents.  I will reply to this thread with the results of that
testing once the builders have ground through them.

I understand that this is essentially unreviewable, and that this level
of change is undesirable in kernels which are this old; in particular
trusty/linux which is close to EOL.  We are forced to update that as it
will enter ESM and so remains a problem froma key rotation perspective.

-apw


== xenial ==
The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:

  UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo

for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:

  UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)

----------------------------------------------------------------
  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] zfs/spl -- enhance provides information
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] Add linux-tools-host package for VM host tools
    - [Packaging] signing should be conditional
    - [Packaging] skip cloud tools packaging when not building package
    - [Packaging] add acpidbg
    - [debian] prep linux-libc-dev only if do_libc_dev_package=true
    - [Packaging] Only install cloud init files when do_tools_common=true

==
The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:

  UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo

for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:

  UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)

----------------------------------------------------------------
  * Miscellaneous Ubuntu changes
    - [Packaging] switch to signed-only forms
    - [Packaging] match +signedN more accuratly
    - [Packaging] download-signed -- fix downloader component and handle versions
      correctly

==
The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:

  UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo

for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:

  UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)

----------------------------------------------------------------
  * signing: only install a signed kernel (LP: #1764794)
    - switch to signed-only binary packages
    - convert linux-signed* into transitional packages

== trusty ==
The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:

  UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo

for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:

  UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)

----------------------------------------------------------------
  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
    - [Debian] usbip tools packaging
    - [Debian] Don't fail if a symlink already exists
    - [Debian] perf -- build in the context of the full generated local headers
    - [Debian] basic hook support
    - [Debian] follow rename of DEB_BUILD_PROFILES
    - [Debian] standardise on stage1 for the bootstrap stage in line with debian
    - [Debian] set do_*_tools after stage1 or bootstrap is determined
    - [Debian] initscripts need installing when making the package
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Debian] add feature interlock with mainline builds
    - [Debian] Remove generated intermediate files on clean
    - [Packaging] prevent linux-*-tools-common from being produced from non linux
      packages
    - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
    - [Debian] Update to new signing key type and location
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
    - [Packaging] reconstruct -- update when inserting final changes
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] skip cloud tools packaging when not building package
    - [debian] prep linux-libc-dev only if do_libc_dev_package=true

==
The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:

  UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo

for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:

  UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)

----------------------------------------------------------------
  * Miscellaneous Ubuntu changes
    - [Packaging] switch to signed-only forms
    - [Packaging] match +signedN more accuratly
    - [Packaging] download-signed -- fix downloader component and handle versions
      correctly

==
The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:

  UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)

are available in the Git repository at:

  git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo

for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:

  UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)

----------------------------------------------------------------
  * signing: only install a signed kernel (LP: #1764794)
    - switch to signed-only binary packages
    - convert linux-signed* into transitional packages

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK/Cmnt: [trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

Stefan Bader-2
On 31.01.19 16:31, Andy Whitcroft wrote:
> We are working up to enforcing kernel signatures out of shim/grub
> by default and then we will rotate the EFI key.  The result of this
> additional enforcement will be to make it significantly more problematic
> on such systems if the signed kernel binary is not present.  Having this
> held on by a separate meta package has proven problematic as it tends to
> get pushed off most easily by apt.  In later series we have successfully
> migrated to a signed-only kernel image.  This is used in both EFI secure
> boot environments and unsigned alike; the signature being benign extra
> data at the end of the kernel image.

Basically assuming that a) the build test passes and b) we do the 'review' by
applying it and then see whether this still gets us kernels.

Acked-by: Stefan Bader <[hidden email]>

>
> All series bionic and later are already converted, this leaves trusty
> and xenial needing remediation.  Only kernels offering signed images
> need actual remediation.  I believe this is the following four kernels,
> there are other signed kernels in trusty and xenial but those are all
> based on later series and thus already remediated:
>
> xenial/linux
> trusty/linux-lts-xenial
> trusty/linux
> precise/linux-lts-trusty
>
> At the bottom of this email are the three pull requests each for
> xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
> linux-meta for each.  For the primary kernel packages these carry two sets
> of changes, firstly a block of change against LP: #1764794[1] which is the
> conversion to signed-only kernels, and secondly a block of change against
> LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
> The linux-signed and linux-meta changes only relate to signed-only changes.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
> [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380
>
> I have decided to conflate these two together as both represent major
> upheaval in the primary packaging and as such will require exactly the
> same testing to validate.  It therefore seems reasonable to apply these
> at the same time and handle any fallout in one hit.
>
> I will prepare further pull requests for the trusty/linux-lts-xenial and
> precise/linux-lts-trusty kernels and submit those shortly.  The changes
> there should be much simpler in those as they share the primary packaging.
> Other derivatives should (in theory) be unaffected by the packaging changes
> as long as they do not support and enable signing in their configuration,
> other than the need to add the retpoline headers to any existing ABI
> information.  This will be familiar from application of the buildinfo
> changes to later series.
>
> I have done binary comparisons of the package contents for both xenial and
> trusty for the signed-only changes.  I am waiting on test builds with the
> additional buildinfo changes applied to recheck that has not regressed
> package contents.  I will reply to this thread with the results of that
> testing once the builders have ground through them.
>
> I understand that this is essentially unreviewable, and that this level
> of change is undesirable in kernels which are this old; in particular
> trusty/linux which is close to EOL.  We are forced to update that as it
> will enter ESM and so remains a problem froma key rotation perspective.
>
> -apw
>
>
> == xenial ==
> The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:
>
>   UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] zfs/spl -- enhance provides information
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] Add linux-tools-host package for VM host tools
>     - [Packaging] signing should be conditional
>     - [Packaging] skip cloud tools packaging when not building package
>     - [Packaging] add acpidbg
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>     - [Packaging] Only install cloud init files when do_tools_common=true
>
> ==
> The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:
>
>   UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:
>
>   UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>
> == trusty ==
> The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:
>
>   UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Debian] usbip tools packaging
>     - [Debian] Don't fail if a symlink already exists
>     - [Debian] perf -- build in the context of the full generated local headers
>     - [Debian] basic hook support
>     - [Debian] follow rename of DEB_BUILD_PROFILES
>     - [Debian] standardise on stage1 for the bootstrap stage in line with debian
>     - [Debian] set do_*_tools after stage1 or bootstrap is determined
>     - [Debian] initscripts need installing when making the package
>     - [Packaging] reconstruct -- automatically reconstruct against base tag
>     - [Debian] add feature interlock with mainline builds
>     - [Debian] Remove generated intermediate files on clean
>     - [Packaging] prevent linux-*-tools-common from being produced from non linux
>       packages
>     - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
>     - [Debian] Update to new signing key type and location
>     - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
>     - [Packaging] reconstruct -- update when inserting final changes
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] skip cloud tools packaging when not building package
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>
> ==
> The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:
>
>   UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:
>
>   UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK/cmnt: [trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

Kleber Souza
In reply to this post by Andy Whitcroft-3
On 1/31/19 4:31 PM, Andy Whitcroft wrote:

> We are working up to enforcing kernel signatures out of shim/grub
> by default and then we will rotate the EFI key.  The result of this
> additional enforcement will be to make it significantly more problematic
> on such systems if the signed kernel binary is not present.  Having this
> held on by a separate meta package has proven problematic as it tends to
> get pushed off most easily by apt.  In later series we have successfully
> migrated to a signed-only kernel image.  This is used in both EFI secure
> boot environments and unsigned alike; the signature being benign extra
> data at the end of the kernel image.
>
> All series bionic and later are already converted, this leaves trusty
> and xenial needing remediation.  Only kernels offering signed images
> need actual remediation.  I believe this is the following four kernels,
> there are other signed kernels in trusty and xenial but those are all
> based on later series and thus already remediated:
>
> xenial/linux
> trusty/linux-lts-xenial
> trusty/linux
> precise/linux-lts-trusty
>
> At the bottom of this email are the three pull requests each for
> xenial/linux and trusty/linux; a pull request for linux, linux-signed, and
> linux-meta for each.  For the primary kernel packages these carry two sets
> of changes, firstly a block of change against LP: #1764794[1] which is the
> conversion to signed-only kernels, and secondly a block of change against
> LP: #1806380[2] which brings the linux-buildinfo support to these kernels.
> The linux-signed and linux-meta changes only relate to signed-only changes.
>
> [1] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794
> [2] https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1806380

LP #1806380 was missing the nomination for Trusty and Xenial, so I fixed
that.

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

>
> I have decided to conflate these two together as both represent major
> upheaval in the primary packaging and as such will require exactly the
> same testing to validate.  It therefore seems reasonable to apply these
> at the same time and handle any fallout in one hit.
>
> I will prepare further pull requests for the trusty/linux-lts-xenial and
> precise/linux-lts-trusty kernels and submit those shortly.  The changes
> there should be much simpler in those as they share the primary packaging.
> Other derivatives should (in theory) be unaffected by the packaging changes
> as long as they do not support and enable signing in their configuration,
> other than the need to add the retpoline headers to any existing ABI
> information.  This will be familiar from application of the buildinfo
> changes to later series.
>
> I have done binary comparisons of the package contents for both xenial and
> trusty for the signed-only changes.  I am waiting on test builds with the
> additional buildinfo changes applied to recheck that has not regressed
> package contents.  I will reply to this thread with the results of that
> testing once the builders have ground through them.
>
> I understand that this is essentially unreviewable, and that this level
> of change is undesirable in kernels which are this old; in particular
> trusty/linux which is close to EOL.  We are forced to update that as it
> will enter ESM and so remains a problem froma key rotation perspective.
>
> -apw
>
>
> == xenial ==
> The following changes since commit be36fafc3373eb2825e64446652314d20f2d50a4:
>
>   UBUNTU: Ubuntu-4.4.0-142.168 (2019-01-16 17:35:07 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 3430730d22f337e5e2bf65caa04b5aacc0e345f4:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:07 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] zfs/spl -- enhance provides information
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] Add linux-tools-host package for VM host tools
>     - [Packaging] signing should be conditional
>     - [Packaging] skip cloud tools packaging when not building package
>     - [Packaging] add acpidbg
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>     - [Packaging] Only install cloud init files when do_tools_common=true
>
> ==
> The following changes since commit 11b5ad75179963c2b6b1a7e77bcf7b9193eaf91a:
>
>   UBUNTU: Ubuntu-4.4.0-140.166 (2018-11-13 17:01:33 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to 4282090a9a52ea0a4bd6b9c1d29b5277e028ebda:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 14:03:37 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 798ff6010873e6805dd4ac709c75f3458a4e3a67:
>
>   UBUNTU: Ubuntu-4.4.0.142.148 (2019-01-16 17:38:58 +0100)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo
>
> for you to fetch changes up to f10fee9896d6add0a641aec0406d989dc817c960:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:48:14 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>
> == trusty ==
> The following changes since commit 5be6d2a55bd38acfe2f0558e62e73ed0b18c108e:
>
>   UBUNTU: Ubuntu-3.13.0-165.215 (2019-01-16 06:19:09 +0000)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 0a7d674e5d412d3fbc47ed7c942f6958d4b9f20c:
>
>   UBUNTU: [Packaging] getabis -- support parsing a simple version (2019-01-31 14:36:35 +0000)
>
> ----------------------------------------------------------------
>   * linux-buildinfo: pull out ABI information into its own package
>     (LP: #1806380)
>     - [Packaging] limit preparation to linux-libc-dev in headers
>     - [Packaging] commonise debhelper invocation
>     - [Packaging] ABI -- accumulate abi information at the end of the build
>     - [Packaging] buildinfo -- add basic build information
>     - [Packaging] buildinfo -- add firmware information to the flavour ABI
>     - [Packaging] buildinfo -- add compiler information to the flavour ABI
>     - [Packaging] buildinfo -- add buildinfo support to getabis
>     - [Config] buildinfo -- add retpoline version markers
>     - [Packaging] getabis -- handle all known package combinations
>     - [Packaging] getabis -- support parsing a simple version
>
>   * signing: only install a signed kernel (LP: #1764794)
>     - [Debian] usbip tools packaging
>     - [Debian] Don't fail if a symlink already exists
>     - [Debian] perf -- build in the context of the full generated local headers
>     - [Debian] basic hook support
>     - [Debian] follow rename of DEB_BUILD_PROFILES
>     - [Debian] standardise on stage1 for the bootstrap stage in line with debian
>     - [Debian] set do_*_tools after stage1 or bootstrap is determined
>     - [Debian] initscripts need installing when making the package
>     - [Packaging] reconstruct -- automatically reconstruct against base tag
>     - [Debian] add feature interlock with mainline builds
>     - [Debian] Remove generated intermediate files on clean
>     - [Packaging] prevent linux-*-tools-common from being produced from non linux
>       packages
>     - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
>     - [Debian] Update to new signing key type and location
>     - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
>     - [Packaging] reconstruct -- update when inserting final changes
>     - [Packaging] update to Debian like control scripts
>     - [Packaging] switch to triggers for postinst.d postrm.d handling
>     - [Packaging] signing -- switch to raw-signing tarballs
>     - [Packaging] signing -- switch to linux-image as signed when available
>     - [Packaging] printenv -- add signing options
>     - [Packaging] fix invocation of header postinst hooks
>     - [Packaging] signing -- add support for signing Opal kernel binaries
>     - [Debian] Use src_pkg_name when constructing udeb control files
>     - [Debian] Dynamically determine linux udebs package name
>     - [Packaging] handle both linux-lts* and linux-hwe* as backports
>     - [Config] linux-source-* is in the primary linux namespace
>     - [Packaging] lookup the upstream tag
>     - [Packaging] switch up to debhelper 9
>     - [Packaging] autopkgtest -- disable d-i when dropping flavours
>     - [debian] support for ship_extras_package=false
>     - [Debian] do_common_tools should always be on
>     - [debian] do not force do_tools_common
>     - [Packaging] skip cloud tools packaging when not building package
>     - [debian] prep linux-libc-dev only if do_libc_dev_package=true
>
> ==
> The following changes since commit 669f2d81e893753c2b7225a22de8566075adefde:
>
>   UBUNTU: Ubuntu-3.13.0-164.214 (2018-12-05 01:53:17 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-signed/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 2ba8b82fb9baa9ca55f5459e2de44f85dd6854ac:
>
>   UBUNTU: [Packaging] download-signed -- fix downloader component and handle versions correctly (2019-01-31 13:55:26 +0000)
>
> ----------------------------------------------------------------
>   * Miscellaneous Ubuntu changes
>     - [Packaging] switch to signed-only forms
>     - [Packaging] match +signedN more accuratly
>     - [Packaging] download-signed -- fix downloader component and handle versions
>       correctly
>
> ==
> The following changes since commit 789683deb4ef5ab4be409273029ae43890a2f9f9:
>
>   UBUNTU: Ubuntu-3.13.0.165.175 (2019-01-16 01:30:32 -0500)
>
> are available in the Git repository at:
>
>   git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo
>
> for you to fetch changes up to 882794d2811e204c660598c005c784679e57218d:
>
>   UBUNTU: convert linux-signed* into transitional packages (2019-01-31 14:49:05 +0000)
>
> ----------------------------------------------------------------
>   * signing: only install a signed kernel (LP: #1764794)
>     - switch to signed-only binary packages
>     - convert linux-signed* into transitional packages
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

Re: [trusty/xenial SRU] switch to a signed-only kernel and add buildinfo

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
On Thu, Jan 31, 2019 at 03:31:28PM +0000, Andy Whitcroft wrote:

> I have done binary comparisons of the package contents for both xenial and
> trusty for the signed-only changes.  I am waiting on test builds with the
> additional buildinfo changes applied to recheck that has not regressed
> package contents.  I will reply to this thread with the results of that
> testing once the builders have ground through them.

The test builds are now complete.  A binary comparison shows that all of
the files still exist in the new packages and appear to be in the
relevant packages.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [trusty SRU] switch to a signed-only kernel and add buildinfo

Stefan Bader-2
In reply to this post by Andy Whitcroft-3
On 31.01.19 16:31, Andy Whitcroft wrote:
> git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/trusty signing-redux/buildinfo

Applied to trusty[-signed|-meta]/master[-next]. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

APPLIED: [enial SRU] switch to a signed-only kernel and add buildinfo

Stefan Bader-2
In reply to this post by Andy Whitcroft-3
On 31.01.19 16:31, Andy Whitcroft wrote:
> git://git.launchpad.net/~apw/ubuntu/+source/linux-meta/+git/xenial signing-redux/buildinfo

Applied to xenial/linux[-signed|-meta]/master[-next]. Thanks.

-Stefan


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (849 bytes) Download Attachment