Comment 0 for bug 1965115

[Availability]
nullboot is available in jammy universe on amd64 and arm64, which are the only architectures we care about it for the foreseeable future

It currently builds and works for architetcures: arm64

Link to package https://launchpad.net/ubuntu/+source/nullboot

[Rationale]
nullboot is required for enabling a partner cloud offering with linux-azure-fde

[Security]
nullboot is a new software produced by Canonical. It produces a Go binary that measures boot binaries and does some sealing, to allow automatic full disk encryption. It only operates on trusted data (firmware data and kernels in /usr/lib/linux/efi).

- no `suid` or `sgid` binaries
- no binaries in sbin directories
- Package does not install services, timers or recurring jobs
- Package does install a dpkg trigger on /usr/lib/linux/efi
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
This package is not usable on its own, it needs a kernel.efi package to be installed such as linux-azure-fde. It requires a TPM.

[Quality assurance - maintenance]
Foundations maintains this software

[Quality assurance - testing]
The test suite run at build time covers about 80% of the code. The code was mostly developed using a test-driven development approach, including abstractions of file system and EFI variables to allow for extensive testing.

ok github.com/canonical/nullboot/efibootmgr 0.142s coverage: 81.6% of statements

The same test suite is run as an autopkgtest. End-to-end testing should be done by consumers of nullboot such as linux-azure-fde, but is very involved as it needs to happen in a qemu with tpm setup and stuff, so it might not happen.

[Quality assurance - packaging]
Lintian is a bit overly protective, but

E: nullboot: copyright-not-using-common-license-for-gpl

^- we can fix this

W: nullboot-dbgsym: elf-error In program headers: Unable to find program interpreter name [usr/lib/debug/.build-id/03/d7295826b5850df200032deca916f3d07a46ff.debug]
W: nullboot: hardening-no-pie [usr/bin/nullbootctl]

^- Go toolchain worries

W: nullboot: no-manual-page usr/bin/nullbootctl

^- maybe it would be nicer to have it live in usr/libexec, I don't know.

W: nullboot: unknown-field Important
W: nullboot: unknown-field Protected

^- these are to be expected.

- Lintian overrides are not present
- debian/watch is not present because it is anative package
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf
  questions higher than medium (no questions, installed only on select cloud images)
- Packaging and build is easy, https://github.com/canonical/nullboot/tree/ubuntu/main/debian

[UI standards]
- Application is not end-user facing (does not need translation)
Application is not _exactly_ end user interfacing, and certainly does not have translations. It runs as part of triggers when select kernel packages are installed and might log some messages there.

[Dependencies]
 - No further depends or recommends dependencies that are not yet in main

[Standards compliance]
- This package violates Debian Policy, it vendorizes various Go libraries (in a orig-vendor.tar.gz)

[Maintenance/Owner]
- Owning Team will be Foundations
- Team is not yet, but will subscribe to the package before promotion

- The team Foundations is aware of the implications by a static build and
  commits to test no-change-rebuilds and to fix any issues found for the
- The team Foundations is aware of the implications of vendored code and (as
  alerted by the security team) commits to provide updates to the security
  team for any affected vendored code for the lifetime of the release
  (including ESM).

[Background information]
The upstream nullboot project and packaging branches are located at https://github.com/canonical/nullboot