** Changed in: linux-meta-azure (Ubuntu)
Status: New => Invalid
** Changed in: linux-meta-kvm (Ubuntu)
Status: New => Invalid
** Changed in: linux (Ubuntu)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu)
Status: Confirmed => In Progress
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Tim Gardner (timg-tpi)
** Also affects: linux (Ubuntu Mantic)
Importance: Medium
Assignee: Tim Gardner (timg-tpi)
Status: In Progress
** Also affects: linux-meta-azure (Ubuntu Mantic)
Importance: Undecided
Status: Invalid
** Also affects: linux-meta-kvm (Ubuntu Mantic)
Importance: Undecided
Status: Invalid
** Also affects: linux (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux-meta-azure (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux-meta-kvm (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: linux-meta-azure (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: linux-meta-kvm (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: linux-meta-azure (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: linux-meta-kvm (Ubuntu Jammy)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Jammy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Jammy)
Status: New => In Progress
** Changed in: linux (Ubuntu Jammy)
Assignee: (unassigned) => Tim Gardner (timg-tpi)
** Changed in: linux (Ubuntu Kinetic)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Kinetic)
Status: New => In Progress
** Changed in: linux (Ubuntu Kinetic)
Assignee: (unassigned) => Tim Gardner (timg-tpi)
** Changed in: linux (Ubuntu Lunar)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Lunar)
Status: New => In Progress
** Changed in: linux (Ubuntu Lunar)
Assignee: (unassigned) => Tim Gardner (timg-tpi)
** Description changed:
+ SRU Justification
+
+ [Impact]
+
The kvm flavours currently do not enable dm-verity. This stops us from
using integrity protected and verified images in VMs using this kernel
flavour.
+
+ [Fix]
Please consider enabling the following kconfigs:
CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
CONFIG_IMA_ARCH_POLICY
(The latter is needed to ensure that MoK keys can be used to verify dm-
verity images too, via the machine keyring linked to the secondary
keyring)
These are already enabled in the 'main' kernel config, and in other
distros.
As a specific and explicit use case, in the systemd project we want to
test functionality provided by systemd that needs these kconfigs on
Ubuntu machines running the kvm flavour kernel.
+
+ [Regression Potential]
+
+ MOK keys may not be correctly read.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2019040
Title:
linux-*: please enable dm-verity kconfigs to allow MoK/db verified
root images
Status in linux package in Ubuntu:
In Progress
Status in linux-meta-azure package in Ubuntu:
Invalid
Status in linux-meta-kvm package in Ubuntu:
Invalid
Status in linux source package in Jammy:
In Progress
Status in linux-meta-azure source package in Jammy:
New
Status in linux-meta-kvm source package in Jammy:
New
Status in linux source package in Kinetic:
In Progress
Status in linux-meta-azure source package in Kinetic:
New
Status in linux-meta-kvm source package in Kinetic:
New
Status in linux source package in Lunar:
In Progress
Status in linux-meta-azure source package in Lunar:
New
Status in linux-meta-kvm source package in Lunar:
New
Status in linux source package in Mantic:
In Progress
Status in linux-meta-azure source package in Mantic:
Invalid
Status in linux-meta-kvm source package in Mantic:
Invalid
Bug description:
SRU Justification
[Impact]
The kvm flavours currently do not enable dm-verity. This stops us from
using integrity protected and verified images in VMs using this kernel
flavour.
[Fix]
Please consider enabling the following kconfigs:
CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
CONFIG_IMA_ARCH_POLICY
(The latter is needed to ensure that MoK keys can be used to verify
dm-verity images too, via the machine keyring linked to the secondary
keyring)
These are already enabled in the 'main' kernel config, and in other
distros.
As a specific and explicit use case, in the systemd project we want to
test functionality provided by systemd that needs these kconfigs on
Ubuntu machines running the kvm flavour kernel.
[Regression Potential]
MOK keys may not be correctly read.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
