This bug is awaiting verification that the linux-kvm/5.13.0-1005.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-impish -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available Status in linux-kvm package in Ubuntu: Fix Committed Status in linux-kvm source package in Impish: Fix Committed Bug description: [Impact] * When booting with UEFI, mokvar table and %:.platform keyring must be available. These are required for builtin revocation certificates to be present, shim builtin certificates to be present and thus support to signed & verified kexec present. It also allows revocation of signed lrm and livepatch drivers which are trusted by this kernel. * The kvm annotations are very minimal, v3 format, and the parent kernel's annotations are not enforced. [Test Plan] * Check that /sys/firmware/efi/mok-variables/ is available * Check that %:.blacklist keyring is populated $ sudo keyctl list %:.blacklist * Check that %:.platform keyring is populated $ sudo keyctl list %:.platform [Where problems could occur] * Given how small the kvm config is, it is not clear if all of lockdown features are correctly enabled. Specifically measuring and appraising things with integrity framework. It is possible further config changes will be required to make kvm flavour as hardened as generic one. [Other Info] * This issue was discovered whilst working on https://bugs.launchpad.net/bugs/1928679 and https://bugs.launchpad.net/bugs/1932029 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
