launchpad archive-generated kmod signing keys should use extendedKeyUsage

Bug #1774746 reported by Steve Langasek
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Andy Whitcroft

Bug Description

The launchpad key generation code currently generates keys with keyUsage=digitalSignature. This means that such a key, if enrolled in MOK or db in a user's UEFI firmware, would be trusted for signatures of bootloaders, kernels, and kernel modules.

In consultation with the Security Team, the constraints applied to the key used for signing of dkms modules on end-users' systems include As implemented in shim, this identifies the key as only to be trusted for signing of kernel modules.

As per /usr/lib/shim/mok/openssl.cnf:

# We use extended key usage information to limit what this auto-generated
# key can be used for.
# codeSigning: specifies that this key is used to sign code.
# defines this key as used for module signing
# only. See
extendedKeyUsage = codeSigning,

Launchpad should implement this same policy for its kmod signing keys, to support granting least privilege to keys that should never be used for signing bootloaders or kernels.

(No firmware implementations are known to recognize this key usage OID; so such keys installed to db instead of MOK would still be trusted by the firmware for signing of all UEFI objects. So kmodsign keys should be registered in MOK and not in db where possible, to take advantage of this information.)

Related branches

tags: added: id-5b11b18e5506de3edd3f0651
Andy Whitcroft (apw)
Changed in launchpad:
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
Colin Watson (cjwatson)
tags: added: lp-soyuz soyuz-publish
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Andy Whitcroft (apw) wrote :

Threw some test builds at dogfood. Examining the public key components the kmod key has the expected extensions and the opal keys do not:

$ openssl x509 -in ~/Downloads/opal.x509 -inform DER -text | grep 'Code'
$ openssl x509 -in ~/Downloads/kmod.x509 -inform DER -text | grep 'Code'
                Code Signing,

tags: added: qa-ok
tags: removed: qa-needstesting
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.