This bug was fixed in the package linux - 6.11.0-7.7
---------------
linux (6.11.0-7.7) oracular; urgency=medium
* oracular/linux: 6.11.0-7.7 -proposed tracker (LP: #2079949)
* update apparmor and LSM stacking patch set (LP: #2028253)
- SAUCE: apparmor4.0.0 [1/99]: LSM: Infrastructure management of the sock
security
- SAUCE: apparmor4.0.0 [2/99]: LSM: Add the lsmblob data structure.
- SAUCE: apparmor4.0.0 [3/99]: LSM: Use lsmblob in security_audit_rule_match
- SAUCE: apparmor4.0.0 [4/99]: LSM: Call only one hook for audit rules
- SAUCE: apparmor4.0.0 [5/99]: LSM: Add lsmblob_to_secctx hook
- SAUCE: apparmor4.0.0 [6/99]: Audit: maintain an lsmblob in audit_context
- SAUCE: apparmor4.0.0 [7/99]: LSM: Use lsmblob in security_ipc_getsecid
- SAUCE: apparmor4.0.0 [8/99]: Audit: Update shutdown LSM data
- SAUCE: apparmor4.0.0 [9/99]: LSM: Use lsmblob in security_current_getsecid
- SAUCE: apparmor4.0.0 [10/99]: LSM: Use lsmblob in security_inode_getsecid
- SAUCE: apparmor4.0.0 [11/99]: Audit: use an lsmblob in audit_names
- SAUCE: apparmor4.0.0 [12/99]: LSM: Create new security_cred_getlsmblob LSM
hook
- SAUCE: apparmor4.0.0 [13/99]: Audit: Change context data from secid to
lsmblob
- SAUCE: apparmor4.0.0 [14/99]: Netlabel: Use lsmblob for audit data
- SAUCE: apparmor4.0.0 [15/99]: LSM: Ensure the correct LSM context releaser
- SAUCE: apparmor4.0.0 [16/99]: LSM: Use lsmcontext in
security_secid_to_secctx
- SAUCE: apparmor4.0.0 [17/99]: LSM: Use lsmcontext in
security_lsmblob_to_secctx
- SAUCE: apparmor4.0.0 [18/99]: LSM: Use lsmcontext in
security_inode_getsecctx
- SAUCE: apparmor4.0.0 [19/99]: LSM: lsmcontext in
security_dentry_init_security
- SAUCE: apparmor4.0.0 [20/99]: LSM: security_lsmblob_to_secctx module
selection
- SAUCE: apparmor4.0.0 [21/99]: Audit: Create audit_stamp structure
- SAUCE: apparmor4.0.0 [22/99]: Audit: Allow multiple records in an
audit_buffer
- SAUCE: apparmor4.0.0 [23/99]: Audit: Add record for multiple task security
contexts
- SAUCE: apparmor4.0.0 [24/99]: audit: multiple subject lsm values for
netlabel
- SAUCE: apparmor4.0.0 [25/99]: Audit: Add record for multiple object
contexts
- SAUCE: apparmor4.0.0 [26/99]: LSM: Remove unused lsmcontext_init()
- SAUCE: apparmor4.0.0 [27/99]: LSM: Improve logic in security_getprocattr
- SAUCE: apparmor4.0.0 [28/99]: LSM: secctx provider check on release
- SAUCE: apparmor4.0.0 [29/99]: LSM: Single calls in socket_getpeersec hooks
- SAUCE: apparmor4.0.0 [30/99]: LSM: Exclusive secmark usage
- SAUCE: apparmor4.0.0 [31/99]: LSM: Identify which LSM handles the context
string
- SAUCE: apparmor4.0.0 [32/99]: AppArmor: Remove the exclusive flag
- SAUCE: apparmor4.0.0 [33/99]: LSM: Add mount opts blob size tracking
- SAUCE: apparmor4.0.0 [34/99]: LSM: allocate mnt_opts blobs instead of
module
specific data
- SAUCE: apparmor4.0.0 [35/99]: LSM: Infrastructure management of the key
security blob
- SAUCE: apparmor4.0.0 [36/99]: LSM: Infrastructure management of the
mnt_opts
security blob
- SAUCE: apparmor4.0.0 [37/99]: LSM: Remove lsmblob scaffolding
- SAUCE: apparmor4.0.0 [38/99]: LSM: Allow reservation of netlabel
- SAUCE: apparmor4.0.0 [39/99]: LSM: restrict security_cred_getsecid() to a
single LSM
- SAUCE: apparmor4.0.0 [40/99]: Smack: Remove LSM_FLAG_EXCLUSIVE
- SAUCE: apparmor4.0.0 [41/99]: LSM stacking v39: UBUNTU: SAUCE:
apparmor4.0.0
[41/99]: add/use fns to print hash string hex value
- SAUCE: apparmor4.0.0 [42/99]: patch to provide compatibility with v2.x net
rules
- SAUCE: apparmor4.0.0 [43/99]: add unpriviled user ns mediation
- SAUCE: apparmor4.0.0 [44/99]: Add sysctls for additional controls of
unpriv
userns restrictions
- SAUCE: apparmor4.0.0 [45/99]: af_unix mediation
- SAUCE: apparmor4.0.0 [46/99]: Add fine grained mediation of posix mqueues
- SAUCE: apparmor4.0.0 [47/99] fixup inode_set_attr
- SAUCE: apparmor4.0.0 [48/99]: setup slab cache for audit data
- SAUCE: apparmor4.0.0 [49/99]: Improve debug print infrastructure
- SAUCE: apparmor4.0.0 [50/99]: add the ability for profiles to have a
learning cache
- SAUCE: apparmor4.0.0 [51/99]: enable userspace upcall for mediation
- SAUCE: apparmor4.0.0 [52/99]: prompt - lock down prompt interface
- SAUCE: apparmor4.0.0 [53/99]: prompt - allow controlling of caching of a
prompt response
- SAUCE: apparmor4.0.0 [54/99]: prompt - add refcount to audit_node in prep
or
reuse and delete
- SAUCE: apparmor4.0.0 [55/99]: prompt - refactor to moving caching to
uresponse
- SAUCE: apparmor4.0.0 [56/99]: prompt - Improve debug statements
- SAUCE: apparmor4.0.0 [57/99]: prompt - fix caching
- SAUCE: apparmor4.0.0 [58/99]: prompt - rework build to use append fn, to
simplify adding strings
- SAUCE: apparmor4.0.0 [59/99]: prompt - refcount notifications
- SAUCE: apparmor4.0.0 [60/99]: prompt - add the ability to reply with a
profile name
- SAUCE: apparmor4.0.0 [61/99]: prompt - fix notification cache when
updating
- SAUCE: apparmor4.0.0 [62/99]: prompt - add tailglob on name for cache
support
- SAUCE: apparmor4.0.0 [63/99]: prompt - allow profiles to set prompts as
interruptible
- SAUCE: apparmor4.0.0 [64/93] v6.8 prompt:fixup interruptible
- SAUCE: apparmor4.0.0 [65/99]: prompt - add support for advanced filtering
of
notifications
- SAUCE: apparmor4.0.0 [66/99]: userns - add the ability to reference a
global
variable for a feature value
- SAUCE: apparmor4.0.0 [67/99]: userns - make it so special unconfined
profiles can mediate user namespaces
- SAUCE: apparmor4.0.0 [68/99]: add io_uring mediation
- SAUCE: apparmor4.0.0 [69/99]: apparmor: fix oops when racing to retrieve
notification
- SAUCE: apparmor4.0.0 [70/99]: apparmor: fix notification header size
- SAUCE: apparmor4.0.0 [71/99]: apparmor: fix request field from a prompt
reply that denies all access
- SAUCE: apparmor4.0.0 [72/99]: apparmor: open userns related sysctl so lxc
can check if restriction are in place
- SAUCE: apparmor4.0.0 [73/99]: apparmor: cleanup attachment perm lookup to
use lookup_perms()
- SAUCE: apparmor4.0.0 [74/99]: apparmor: remove redundant unconfined check.
- SAUCE: apparmor4.0.0 [75/99]: apparmor: switch signal mediation to using
RULE_MEDIATES
- SAUCE: apparmor4.0.0 [76/99]: apparmor: ensure labels with more than one
entry have correct flags
- SAUCE: apparmor4.0.0 [77/99]: apparmor: remove explicit restriction that
unconfined cannot use change_hat
- SAUCE: apparmor4.0.0 [78/99]: apparmor: cleanup: refactor file_perm() to
provide semantics of some checks
- SAUCE: apparmor4.0.0 [79/99]: apparmor: carry mediation check on label
- SAUCE: apparmor4.0.0 [80/99]: apparmor: convert easy uses of unconfined()
to
label_mediates()
- SAUCE: apparmor4.0.0 [81/99]: apparmor: add additional flags to extended
permission.
- SAUCE: apparmor4.0.0 [82/99]: apparmor: add support for profiles to define
the kill signal
- SAUCE: apparmor4.0.0 [83/99]: apparmor: fix x_table_lookup when stacking
is
not the first entry
- SAUCE: apparmor4.0.0 [84/99]: apparmor: allow profile to be transitioned
when a user ns is created
- SAUCE: apparmor4.0.0 [85/99]: apparmor: add ability to mediate caps with
policy state machine
- SAUCE: apparmor4.0.0 [86/99]: fixup notify
- SAUCE: apparmor4.0.0 [87/99]: apparmor: add fine grained ipv4/ipv6
mediation
- SAUCE: apparmor4.0.0 [88/99]: apparmor: disable tailglob responses for now
- SAUCE: apparmor4.0.0 [89/99]: apparmor: Fix notify build warnings
- SAUCE: apparmor4.0.0 [90/99]: fix reserved mem for when we save ipv6
addresses
- SAUCE: apparmor4.0.0 [91/99]: fix address mapping for recvfrom
- SAUCE: apparmor4.0.0 [92/99]: apparmor: add support for 2^24 states to the
dfa state machine.
- SAUCE: apparmor4.0.0 [93/99]: apparmor: advertise to userspace support of
user upcall for file rules.
- SAUCE: apparmor4.0.0 [94/99]: apparmor: allocate xmatch for nullpdf inside
aa_alloc_null
- SAUCE: apparmor4.0.0 [95/99]: apparmor: properly handle cx/px lookup
failure
for complain
- SAUCE: apparmor4.0.0 [96/99]: apparmor: fix prompt failing during large
down
loads
- SAUCE: apparmor4.0.0 [97/99]: apparmor: fix allow field in notification
- SAUCE: apparmor4.0.0 [98/99]: fix build error with !CONFIG_SECURITY
- SAUCE: apparmor4.0.0 [99/99]: fix build error with in nfs4xdr
* Intel Lunar Lake / Battlemage enablement (LP: #2076209)
- drm/xe/lnl: Drop force_probe requirement
- drm/xe: Support 'nomodeset' kernel command-line option
- drm/i915/display: Plane capability for 64k phys alignment
- drm/xe: Align all VRAM scanout buffers to 64k physical pages when needed.
- drm/xe: Use separate rpm lockdep map for non-d3cold-capable devices
- drm/xe: Fix NPD in ggtt_node_remove()
- drm/xe/bmg: Drop force_probe requirement
- drm/xe/gsc: Fix FW status if the firmware is already loaded
- drm/xe/gsc: Track the platform in the compatibility version
- drm/xe/gsc: Wedge the device if the GSCCS reset fails
- drm/i915/bios: Update new entries in VBT BDB block definitions
- drm/xe/hwmon: Treat hwmon as a per-device concept
- drm/xe: s/xe_tile_migrate_engine/xe_tile_migrate_exec_queue
- drm/xe: Add xe_vm_pgtable_update_op to xe_vma_ops
- drm/xe: Add xe_exec_queue_last_fence_test_dep
- drm/xe: Add timeout to preempt fences
- drm/xe: Convert multiple bind ops into single job
- drm/xe: Update VM trace events
- drm/xe: Update PT layer with better error handling
- drm/xe: Add VM bind IOCTL error injection
- dma-buf: Split out dma fence array create into alloc and arm functions
- drm/xe: Invalidate media_gt TLBs in PT code
- drm/i915/display: Fix BMG CCS modifiers
- drm/xe: Use xe_pm_runtime_get in xe_bo_move() if reclaim-safe.
- drm/xe: Remove extra dma_fence_put on xe_sync_entry_add_deps failure
* [24.10 FEAT] [KRN1911] Vertical CPU Polarization Support Stage 2
(LP: #2072760)
- s390/wti: Introduce infrastructure for warning track interrupt
- s390/wti: Prepare graceful CPU pre-emption on wti reception
- s390/wti: Add wti accounting for missed grace periods
- s390/wti: Add debugfs file to display missed grace periods per cpu
- s390/topology: Add sysctl handler for polarization
- s390/topology: Add config option to switch to vertical during boot
- s390/smp: Add cpu capacities
- s390/hiperdispatch: Introduce hiperdispatch
- s390/hiperdispatch: Add steal time averaging
- s390/hiperdispatch: Add trace events
- s390/hiperdispatch: Add hiperdispatch sysctl interface
- s390/hiperdispatch: Add hiperdispatch debug attributes
- s390/hiperdispatch: Add hiperdispatch debug counters
- [Config] Initial set of new options HIPERDISPATCH_ON and
SCHED_TOPOLOGY_VERTICAL to yes for s390x
* Remove non-LPAE kernel flavor (LP: #2025265)
- [Packaging] Drop control.d/vars.generic-lpae
* generate and ship vmlinux.h to allow packages to build BPF CO-RE
(LP: #2050083)
- [Packaging] Don't call dh_all on linux-bpf-dev unless on master kernel
* Miscellaneous Ubuntu changes
- [Config] updateconfigs following v6.11-rc7 rebase
-- Timo Aaltonen <timo.aalto...@canonical.com> Mon, 09 Sep 2024
13:38:09 +0300
** Changed in: linux (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2033007
Title:
kdump doesn't work with UEFI secure boot and kernel lockdown enabled
on ARM64
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
In Progress
Status in linux source package in Jammy:
Fix Released
Status in linux source package in Lunar:
Fix Released
Status in linux source package in Noble:
Fix Released
Bug description:
[Impact]
The kdump service operates by utilizing the kexec_file_load system call,
which loads a new kernel image intended for subsequent execution.
However, this process encounters a hindrance if the
CONFIG_KEXEC_IMAGE_VERIFY_SIG option isn't enabled to facilitate signature
verification.
In addition, a noteworthy point is that if the kernel image is signed with a
MOK,
it will face rejection due to ARM64's reliance solely on the
.builtin_trusted_keys for verification purposes.
To enhance flexibility, it's suggested that we align the behavior on x86
platforms.
This alignment could potentially involve expanding the scope to encompass
more keyrings, such as .secondary_trusted_keys and platform keyrings,
thereby broadening the options available for verification mechanisms.
[Fix]
Enabling the CONFIG_KEXEC_IMAGE_VERIFY_SIG option is necessary,
along with the incorporation of two specific commits, in order to enhance the
capabilities of the kexec_file_load system call on ARM64.
The commits that need to be applied are as follows:
c903dae8941d kexec, KEYS: make the code in bzImage64_verify_sig generic
0d519cadf751 arm64: kexec_file: use more system keyrings to verify kernel
image signature
[Test Plan]
1. Set up a VM with UEFI secure boot and enabled kernel lockdown on ARM64
2. Install 'kdump-tools'
sudo apt install linux-crashdump
3. Reboot and verify kdump status with 'kdump-config show'
root@ubuntu:~# kdump-config show
DUMP_MODE: kdump
USE_KDUMP: 1
KDUMP_COREDIR: /var/crash
crashkernel addr: 0xde000000
/var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinuz-5.15.0-78-generic
kdump initrd:
/var/lib/kdump/initrd.img: symbolic link to
/var/lib/kdump/initrd.img-5.15.0-78-generic
current state: Not ready to kdump
kexec command:
/sbin/kexec -p -s
--command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-79-generic
root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0
reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1"
--initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
4. Check the log using 'systemctl status kdump-tools'
Aug 24 06:08:39 ubuntu systemd[1]: Starting Kernel crash dump capture
service...
Aug 24 06:08:39 ubuntu kdump-tools[1750]: Starting kdump-tools:
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink
/var/lib/kdump/vmlinuz
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * Creating symlink
/var/lib/kdump/initrd.img
Aug 24 06:08:39 ubuntu kdump-tools[1755]: * /sbin/kexec -p -s
--command-line="BOOT_IMAGE=/boot/vmlinuz-5.15.0-78-generic
root=UUID=63e4c69f-fb47-4a54-8ef1-c955ae9a9a50 ro console=tty1 console=ttyS0
reset_devices systemd.unit=kdump-tools-dump.service nr_cpus=1"
--initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
Aug 24 06:08:41 ubuntu kernel: [ 403.301008] Lockdown: kexec: kexec of
unsigned images is restricted; see man kernel_lockdown.7
Aug 24 06:08:41 ubuntu kdump-tools[1755]: * failed to load kdump kernel
Aug 24 06:08:41 ubuntu kdump-tools: failed to load kdump kernel
Aug 24 06:08:41 ubuntu systemd[1]: Finished Kernel crash dump capture service.
[Where problems could occur]
The problem is specific to kexec image signature verification on ARM64.
This change allows additional keyrings and impacts only the ARM64
kexec_file_load system call.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2033007/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
