Check if EFI signatures are revoked at build time
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux-signed (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
[ Impact ]
* Recent kernels expose built-in trusted and revoked certificates. See https:/
* When kernels expose such information, it is prudent to check if the freshly signed EFI binaries are actually revoked. And fail the build in such cases.
* This ensures that a given signed kernel, can perform verified kexec for quick-reboot or for kdump purposes.
* This also helps with key rotations, in case kernel is routed to be signed with the wrong key due to miss-configuration of the build.
[ Test Plan ]
* Add test-build PPA certificate as revoked
* Perform a test-build crank of linux & linux-signed, in test-build PPA
* linux-signed should FTBFS in test-build PPA
* Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly
[ Where problems could occur ]
* Each individual linux-signed package needs to add a build-dep on all buildinfo packages of all EFI signed flavours on EFI signed arches
* The verification is done on EFI signed binaries only for now. OPAL & SIPL signing checks might be implemented in the future
| Changed in linux-signed (Ubuntu): | |
| status: | New → Confirmed |
| description: | updated |
| summary: |
- Fail the build if EFI binaries are signed with revoked keys + Check if EFI signatures are revoked at build |
| summary: |
- Check if EFI signatures are revoked at build + Check if EFI signatures are revoked at build time |
