[Bug 1831942] Reminder of SRU verification policy change

Wed Jun 12 19:30:04 UTC 2019

Thank you for taking the time to verify this stable release fix.  We
have noticed that you have used the verification-done tag for marking
the bug as verified and would like to point out that due to a recent
change in SRU bug verification policy fixes now have to be marked with
per-release tags (i.e. verification-done-$RELEASE).  Please remove the
verification-done tag and add one for the release you have tested the
package in.  Thank you!

https://wiki.ubuntu.com/StableReleaseUpdates#Verification

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to u-boot in Ubuntu.
https://bugs.launchpad.net/bugs/1831942

Title:
  support u-boot Flat Image Tree (FIT) signing support

Status in Launchpad itself:
  In Progress
Status in u-boot package in Ubuntu:
  Fix Released
Status in u-boot source package in Xenial:
  Fix Committed
Status in u-boot source package in Bionic:
  Fix Committed
Status in u-boot source package in Cosmic:
  Fix Committed
Status in u-boot source package in Disco:
  Fix Committed
Status in u-boot source package in Eoan:
  Fix Released

Bug description:
  [Impact] the existing mkimage/dumpimage tools are unable to make or
  dump out the contents of a u-boot FIT image.

  [Test Case] run mkimage with no arguments, note that FIT images and
  signing are shown as disabled.  Install the updated version and note
  that FIT images and signing are now shown as enabled.  Run the
  attached TEST-FIT script which will put together a sample image,
  generate some keys, and sign the resulting image contents.  You will
  see "kernel.img: Device Tree Blob version 17,..." if the image is
  created and you will see dumpimage output showing it is not yet signed
  (Sign value: unavailable).  The signatures will then be applied and
  the image redumped and you will see it is now signed (Sign value:
  <hex>).

  [Regression Potential] though this changes the u-boot boot loader
  package, only the build of the u-boot-utils package contents is
  modified.  This primarily enabled FIT_SIGNATURE support in the
  configuration before building those tools.  The majority of the tools
  we ship do not have configuration support even and so should not be
  affected.  mkimage et al are not normally used during a
  kernel/bootloader update and so the risk to a pre-installed system
  should be low.  There is slightly higher risk in the xenial changes as
  the enablement has enabled some additional tool builds, but none of
  those are shipped in the resulting binaries.

  ===

  We need a mechanism for securely signing Flat Image Tree binaries.
  This will be performed in a similar manner to UEFI signing support via
  a custom binary upload to launchpad.  We will also need a u-boot
  update to enable image creation and signing support in mkimage.

To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1831942/+subscriptions