ACK: [RFC] linux-signed support for linux-generate

[Alberto Milone]

On 16/09/22 13:46, Andy Whitcroft wrote:
> When kernel containing signed elements are copied into the archive they
> are resigned at the destination.  This occurs for -proposed, -updates,
> and -security independantly unless they are rejected by a vigilant
> archive-admin.  If they are accepted for signing, as well as causing
> multiple duplicate signings, they are also signed by the archive active
> signing key.  As we rotate keys this leaves us at signicant risk of
> signing those kernels with an inappropriate key; potentially rendering
> that key compromised.
>
> As part of the necessary embargoing of the linux-restricted-modules
> (LRM) signing-tarballs we introduces a build/generate/signed model; a
> three step process by which the build package (LRM in that case)
> produces the signable objects, a generate package
> (linux-restricted-generate [LRG]) converts those into a signing-tarball,
> and finally a signing package (linux-restricted-signatures [LRS])
> expresses the signed objects.  By pulling out the signing-tarball
> handling to LRG we are able to elide that package in publication
> (embargoing the .kos for LRM) and simultaneously avoiding all of the
> preceeding risks.
>
> Here we bring this same formular to the linux-signed package.  The main
> linux package will continue to produce linux-image-unsigned packages;
> but no longer produce the signing-tarball.  linux-generate will consume
> those unsigned packages and upload the signing-tarball.  Finally
> linux-signed will consume the signed kernels and package those as normal
> in to linux-image packages.  In a similar fashion to LRG we will
> eliminate linux-generate from the final publications.  To achieve this
> we will introduce linux-generate as a direct-ancillary on the
> linux-signed package eliminating the need for manual handling of any new
> packages.
>
> Following this email are 13 patches.  The first two represent some
> simple cleanups and simplifications ready for conversion:
>
> UBUNTU: [Packaging] generate-depends: relocate to debian/scripts
> UBUNTU: [Packaging] generate-depends -- simplify unsigned to signed conversions
>
> The next two introduce a debian/package.config similar to that used in
> LRM, and switch to configuring the package from it:
>
> UBUNTU: [Config] signing package.config
> UBUNTU: [Packaging] generate: switch to generating debian/control based on debian/package.config
>
> The next five patches generify the handling (this is based on an initial
> kinetic base) to include di support for older series, HMAC support for
> fips, and FIT support should that be required:
>
> UBUNTU: [Packaging] generate: pull out configuration as a library for later use
> UBUNTU: [Packaging] generate: add -di package support
> UBUNTU: [Packaging] generate: only produce -di package configuration when present
> UBUNTU: [Packaging] generate: add HMAC support
> UBUNTU: [Packaging] generate: add FIT support
>
> The next two introduce the actual linux-generic as a direct ancillary:
>
> UBUNTU: [Packaging] generate: add linux-generate as a direct ancillary
> UBUNTU: [Packaging] generate: switch to consuming signed artifacts from linux-generate
>
> The next patch updates the update-version scripting to match semantics
> with LRM, this makes it easier to drive this from an automated respin:
>
> UBUNTU: [Packaging] generate: update-version -- update to latest version
>
> Finally, the last patch introduces a version (and associated tracker) to
> make automated updates simpler.
>
> UBUNTU: signed-version 3.0
>
> Proposing to apply this to kinetic initially and once settled, to
> programatically apply this to all archive destined linux-signed packages
> as listed in kernel-series as SIGNEDv3 under LP: #1989705[1]
>
> -apw
>
> [1] https://bugs.launchpad.net/bugs/1989705

This applies to the whole series.

Acked-by: Alberto Milone <alberto.milone at canonical.com>

-- 
Alberto Milone