Booted impish lxd vm; enabled proposed and upgraded to the new kvm abi: # uname -a Linux leading-fly 5.13.0-1005-kvm #5-Ubuntu SMP Tue Oct 26 23:55:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
# ls /sys/firmware/efi/mok-variables/ MokListRT MokListXRT SbatLevelRT # keyctl list %:.blacklist | head 80 keys in keyring: 252860331: ---lswrv 0 0 blacklist: bin:82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67 676962175: ---lswrv 0 0 blacklist: bin:7827af99362cfaf0717dade4b1bfe0438ad171c15addc248b75bf8caa44bb2c5 1059112409: ---lswrv 0 0 blacklist: bin:8d8ea289cfe70a1c07ab7365cb28ee51edd33cf2506de888fbadd60ebf80481c 990976823: ---lswrv 0 0 blacklist: bin:fddd6e3d29ea84c7743dad4a1bdbc700b5fec1b391f932409086acc71dd6dbd8 772477785: ---lswrv 0 0 blacklist: bin:b97a0889059c035ff1d54b6db53b11b9766668d9f955247c028b2837d7a04cd9 234365151: ---lswrv 0 0 blacklist: bin:d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1 812179032: ---lswrv 0 0 blacklist: bin:c409bdac4775add8db92aa22b5b718fb8c94a1462c1fe9a416b95d8a3388c2fc 1025256417: ---lswrv 0 0 blacklist: bin:939aeef4f5fa51e23340c3f2e49048ce8872526afdf752c3a7f3a3f2bc9f6049 442082266: ---lswrv 0 0 blacklist: bin:075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238 # keyctl list %:.blacklist | grep asym 73781777: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0 # keyctl list %:.platform 3 keys in keyring: 848858004: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53 221029845: ---lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 730971307: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4 mok-variables, blacklist, and platform keyrings are now there. ** Tags removed: verification-needed-impish ** Tags added: verification-done-impish -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available Status in linux-kvm package in Ubuntu: Fix Committed Status in linux-kvm source package in Impish: Fix Committed Bug description: [Impact] * When booting with UEFI, mokvar table and %:.platform keyring must be available. These are required for builtin revocation certificates to be present, shim builtin certificates to be present and thus support to signed & verified kexec present. It also allows revocation of signed lrm and livepatch drivers which are trusted by this kernel. * The kvm annotations are very minimal, v3 format, and the parent kernel's annotations are not enforced. [Test Plan] * Check that /sys/firmware/efi/mok-variables/ is available * Check that %:.blacklist keyring is populated $ sudo keyctl list %:.blacklist * Check that %:.platform keyring is populated $ sudo keyctl list %:.platform [Where problems could occur] * Given how small the kvm config is, it is not clear if all of lockdown features are correctly enabled. Specifically measuring and appraising things with integrity framework. It is possible further config changes will be required to make kvm flavour as hardened as generic one. [Other Info] * This issue was discovered whilst working on https://bugs.launchpad.net/bugs/1928679 and https://bugs.launchpad.net/bugs/1932029 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
