------- Comment From naynj...@ibm.com 2020-06-16 17:51 EDT------- To be specific. sudo apt-key list
shows: ubuntu@ltc-wspoon13:/$ apt-key list /etc/apt/trusted.gpg.d/canonical-kernel-team_ubuntu_bootstrap.gpg ----------------------------------------------------------------- pub rsa1024 2010-12-01 [SC] 110E 21D8 B0E2 A1F0 243A F682 0856 F197 B892 ACEA uid [ unknown] Launchpad PPA for Canonical Kernel Team /etc/apt/trusted.gpg.d/sforshee_ubuntu_lp1866909.gpg ---------------------------------------------------- pub rsa1024 2011-10-06 [SC] 6B5B 9C22 2E05 413A F654 1676 1212 D9F6 559B 2FA8 uid [ unknown] Launchpad PPA for Seth Forshee /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg ------------------------------------------------------ pub rsa4096 2012-05-11 [SC] 790B C727 7767 219C 42C8 6F93 3B4F E6AC C0B2 1F32 uid [ unknown] Ubuntu Archive Automatic Signing Key (2012) <ftpmas...@ubuntu.com> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg ------------------------------------------------------ pub rsa4096 2012-05-11 [SC] 8439 38DF 228D 22F7 B374 2BC0 D94A A3F0 EFE2 1092 uid [ unknown] Ubuntu CD Image Automatic Signing Key (2012) <cdim...@ubuntu.com> /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg ------------------------------------------------------ pub rsa4096 2018-09-17 [SC] F6EC B376 2474 EDA9 D21B 7022 8719 20D1 991B C93C uid [ unknown] Ubuntu Archive Automatic Signing Key (2018) <ftpmas...@ubuntu.com> I need OPAL signing key as in path - ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed /linux-ppc64el/current/signed.tar.gz If you will extract this, there is one opal.x509 which is used to sign the kernel. This one is for PPA kernel if I am not missing something. And that is the key I need for proposed. So, if you can share the common or standard OPAL signing key which I can use for proposed, it would be helpful. Thanks & Regards, - Nayna Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: ================== [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __________ == Comment: #0 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler <mranw...@us.ibm.com> - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
