When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept.
Currently there is a fips-check script that complains whenever a commit with crypto-related changes is found without any justification. However, this script does not account for cases where these commits are reverted and will fail even in these cases.
[Fix]
After finding the commits that touch crypto source, also look for commits that revert them.
[Test Plan]
Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two commits that touch crypto source. Revert those commits (and do not forget to follow the convention of adding `UBUNTU: SAUCE` to the commit subject). Proceed to prepare the kernel, and at the `cranky close` step, confirm that it can be run without any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel final binary.
[Impact]
When producing a new version of some kernels, we need to check for changes that might affect FIPS certs and justify why a commit was kept.
Currently there is a fips-check script that complains whenever a commit with crypto-related changes is found without any justification. However, this script does not account for cases where these commits are reverted and will fail even in these cases.
[Fix]
After finding the commits that touch crypto source, also look for commits that revert them.
[Test Plan]
Take a Jammy FIPS kernel from the 2024.02.05 cycle, which introduces two commits that touch crypto source. Revert those commits (and do not forget to follow the convention of adding `UBUNTU: SAUCE` to the commit subject). Proceed to prepare the kernel, and at the `cranky close` step, confirm that it can be run without any errors.
[Where problems could occur]
This only affects the preparation of FIPS kernels and not the kernel final binary.