2021-09-01 10:27:51 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2021-10-05 10:43:25 |
Dimitri John Ledkov |
description |
When booting with UEFI, mokvar table and %:.platform keyring must be available |
[Impact]
* When booting with UEFI, mokvar table and %:.platform keyring must be available. These are required for builtin revocation certificates to be present, shim builtin certificates to be present and thus support to signed & verified kexec present. It also allows revocation of signed lrm and livepatch drivers which are trusted by this kernel.
* The kvm annotations are very minimal, v3 format, and the parent kernel's annotations are not enforced.
[Test Plan]
* Check that /sys/firmware/efi/mok-variables/ is available
* Check that %:.blacklist keyring is populated
$ sudo keyctl list %:.blacklist
* Check that %:.platform keyring is populated
$ sudo keyctl list %:.platform
[Where problems could occur]
* Given how small the kvm config is, it is not clear if all of lockdown features are correctly enabled. Specifically measuring and appraising things with integrity framework. It is possible further config changes will be required to make kvm flavour as hardened as generic one.
[Other Info]
* This issue was discovered whilst working on https://bugs.launchpad.net/bugs/1928679 and https://bugs.launchpad.net/bugs/1932029 |
|
2021-10-14 15:16:55 |
Kleber Sacilotto de Souza |
nominated for series |
|
Ubuntu Impish |
|
2021-10-14 15:16:55 |
Kleber Sacilotto de Souza |
bug task added |
|
linux-kvm (Ubuntu Impish) |
|
2021-10-14 15:28:50 |
Kleber Sacilotto de Souza |
linux-kvm (Ubuntu Impish): status |
New |
Fix Committed |
|
2021-10-27 11:36:53 |
Ubuntu Kernel Bot |
tags |
|
verification-needed-impish |
|
2021-11-03 12:24:41 |
Dimitri John Ledkov |
tags |
verification-needed-impish |
verification-done-impish |
|
2021-11-08 14:31:21 |
Launchpad Janitor |
linux-kvm (Ubuntu Impish): status |
Fix Committed |
Fix Released |
|
2021-11-08 14:31:21 |
Launchpad Janitor |
cve linked |
|
2021-3759 |
|
2021-11-23 16:06:07 |
Launchpad Janitor |
linux-kvm (Ubuntu): status |
Fix Committed |
Fix Released |
|
2021-11-23 16:06:07 |
Launchpad Janitor |
cve linked |
|
2021-3744 |
|
2021-11-23 16:06:07 |
Launchpad Janitor |
cve linked |
|
2021-3764 |
|