Comment 0 for bug 1996955
Revision history for this message
| Dimitri John Ledkov (xnox) wrote Fail the build if EFI binaries are signed with revoked keys | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
[ Impact ]
* Recent kernels expose built-in trusted and revoked certificates. See https:/
* When kernels expose such information, it is prudent to check if the freshly signed EFI binaries are actually revoked. And fail the build in such cases.
* This ensures that a given signed kernel, can perform verified kexec for quick-reboot or for kdump purposes.
* This also helps with key rotations, in case kernel is routed to be signed with the wrong key due to miss-configuration of the build.
[ Test Plan ]
* Add test-build PPA certificate as revoked
* Perform a test-build crank of linux & linux-signed, in test-build PPA
* linux-signed should FTBFS in test-build PPA
* Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly
[ Where problems could occur ]
* Each individual linux-signed package needs to add a build-dep on all buildinfo packages of all EFI signed flavours on EFI signed arches