** Description changed: [Impact] Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring. Add support in our kernel configuration to have built-in revoked certificates. Revoke UEFI amd64 & arm64 2012 signing certificate. Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed. By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots. [Test Plan] * Boot kernel directly, or just with grub, and without shim * Check that $ sudo keyctl list %:.blacklist - Contains assymetric 2012 key. + Contains asymmetric 2012 key. + + [Test Plan v5.8 and lower] + + For v5.8 and lower kernels mok table driver is backported to surface + moktable variables + + * $ sudo ls /sys/firmware/efi/mok-variables + MokListRT MokListXRT SbatLevelRT + + When booted with shim, the mok-variables directory above should exist, + and contain at least `MokListRT MokListXRT SbatLevelRT` files. + + In kernel messages, the CA certificate should be loaded via MOKvar table + i.e: + + * $ sudo journalctl -b -k | grep -A1 'MOKvar table' + Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) + Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 + [Where problems could occur] * Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke. [Other Info] * In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. - * an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked + * an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
** Description changed: [Impact] Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring. Add support in our kernel configuration to have built-in revoked certificates. Revoke UEFI amd64 & arm64 2012 signing certificate. Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed. By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots. + For kernels v5.8 and lower, also backport mokvar table driver to surface + MOK variables from the EFI config table that shim installs, instead of + relying on runtime efivars. + [Test Plan] * Boot kernel directly, or just with grub, and without shim * Check that $ sudo keyctl list %:.blacklist Contains asymmetric 2012 key. [Test Plan v5.8 and lower] For v5.8 and lower kernels mok table driver is backported to surface moktable variables - * $ sudo ls /sys/firmware/efi/mok-variables - MokListRT MokListXRT SbatLevelRT + * $ sudo ls /sys/firmware/efi/mok-variables + MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: - * $ sudo journalctl -b -k | grep -A1 'MOKvar table' + * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 - [Where problems could occur] * Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke. [Other Info] * In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. * an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-azure-5.8 in Ubuntu. https://bugs.launchpad.net/bugs/1932029 Title: Support builtin revoked certificates Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: New Status in linux-azure-5.8 source package in Focal: New Status in linux-oem-5.10 source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Released Status in linux-azure-5.8 source package in Hirsute: Invalid Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring. Add support in our kernel configuration to have built-in revoked certificates. Revoke UEFI amd64 & arm64 2012 signing certificate. Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed. By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots. For kernels v5.8 and lower, also backport mokvar table driver to surface MOK variables from the EFI config table that shim installs, instead of relying on runtime efivars. [Test Plan] * Boot kernel directly, or just with grub, and without shim * Check that $ sudo keyctl list %:.blacklist Contains asymmetric 2012 key. [Test Plan v5.8 and lower] For v5.8 and lower kernels mok table driver is backported to surface moktable variables * $ sudo ls /sys/firmware/efi/mok-variables MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 [Where problems could occur] * Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke. [Other Info] * In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. * an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
