signing: only install a signed kernel
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
High
|
Unassigned | ||
| | Trusty |
High
|
Andy Whitcroft | ||
| | Xenial |
High
|
Andy Whitcroft | ||
Bug Description
We should switch the default kernel install to the signed kernel. This makes it much harder to uninstall the signed kernel in environments which enforce the kernel to be signed. Boot loaders which can understand and validate it want the signed image, those which do not should ignore the appended signature.
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Fix Committed |
| Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package linux - 4.15.0-19.20
---------------
linux (4.15.0-19.20) bionic; urgency=medium
* linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)
* Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
- Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
- Revert "genirq/affinity: assign vectors to all possible CPUs"
linux (4.15.0-18.19) bionic; urgency=medium
* linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)
* [regression] Ubuntu 18.04:[
meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
(LP: #1765429)
- powerpc/pseries: Fix clearing of security feature flags
* signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Config] signing -- enable Opal signing for ppc64el
- [Packaging] printenv -- add signing options
* [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
- [Packaging] signing -- add support for signing Opal kernel binaries
* Please cherrypick s390 unwind fix (LP: #1765083)
- s390/compat: fix setup_frame32
* Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
[ipr] (LP: #1751813)
- d-i: move ipr to storage-
* drivers/
- SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm
* Miscellaneous Ubuntu changes
- [Packaging] Add linux-oem to rebuild test blacklist.
linux (4.15.0-17.18) bionic; urgency=medium
* linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)
* Eventual OOM with profile reloads (LP: #1750594)
- SAUCE: apparmor: fix memory leak when duplicate profile load
linux (4.15.0-16.17) bionic; urgency=medium
* linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)
* [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
- [Config]: Set CONFIG_
* [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
- SAUCE: usb: typec: ucsi: Increase command completion timeout value
* Fix trying to "push" an already active pool VP (LP: #1763386)
- SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP
* hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
- Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
userspace"
- Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
- scsi: hisi_sas: modify some register config for hip08
- scsi: hisi_sas: add v3 hw MODULE_
* Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673)
- misc: rtsx: Move Realtek Card Reader Driver to misc
- updateconfigs for Realtek Card Reader Driver
- misc: rtsx: Add support for RTS5260
- misc: rtsx: Fix symbol clashes
* Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
./include/
| Changed in linux (Ubuntu): | |
| status: | Fix Committed → Fix Released |
| description: | updated |
| Changed in linux (Ubuntu Trusty): | |
| status: | New → In Progress |
| Changed in linux (Ubuntu Xenial): | |
| status: | New → In Progress |
| Changed in linux (Ubuntu Trusty): | |
| importance: | Undecided → High |
| Changed in linux (Ubuntu Xenial): | |
| importance: | Undecided → High |
| Changed in linux (Ubuntu): | |
| importance: | Undecided → High |
| Changed in linux (Ubuntu Xenial): | |
| assignee: | nobody → Andy Whitcroft (apw) |
| Changed in linux (Ubuntu Trusty): | |
| assignee: | nobody → Andy Whitcroft (apw) |
| Changed in linux (Ubuntu Trusty): | |
| status: | In Progress → Fix Committed |
| Changed in linux (Ubuntu Xenial): | |
| status: | In Progress → Fix Committed |
| Brad Figg (brad-figg) wrote : | #3 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-trusty |
| Jarno Suni (jarnos) wrote : | #4 |
Is there similar verification needed for Xenial?
| Brad Figg (brad-figg) wrote : | #5 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-xenial |
| Jarno Suni (jarnos) wrote : | #6 |
Testing this required updating several packages from xenial-proposed
In order to install them all I ran this:
sudo apt install -t=xenial-proposed linux-signed-
(which is something that is not told in the previous document)
In its execution an error occurred; here is an extraction of the part of the output:
/etc/kernel/
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/
Setting up linux-headers-
Setting up linux-generic (4.4.0.143.150) ...
Processing triggers for linux-image-
/etc/kernel/
ERROR: Cannot create report: [Errno 17] File exists: '/var/crash/
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/
If I would use open source driver nouveu, instead, I could test this, but I would not be able to use HDMI IIRC. Well, I'll try.
| Jarno Suni (jarnos) wrote : | #7 |
$ dpkg -l |grep 'linux.*-image.*'
ii linux-image-
ii linux-image-
ii linux-image-
ii linux-image-
ii linux-image-
ii linux-image-
ii linux-image-
ii linux-image-generic 4.4.0.143.150 amd64 Generic Linux kernel image
ii linux-signed-
ii linux-signed-
ii linux-signed-
ii linux-signed-
jarnos@
4.4.0-143-generic
| tags: |
added: verification-done-xenial removed: verification-needed-xenial |
| Doug McMahon (mc3man) wrote : | #8 |
This update breaks the use of nvidia drivers in both 14.04 & 16.04
See https:/
| tags: |
added: verification-needed-xenial removed: verification-done-xenial |
Hi all,
The dkms build failures are not caused by the changes made for this bug report. They were caused by some changes on get_user_pages() we pulled from the 4.4 upstream stable (see bug 1818101 and bug 1818049).
Thank you.
| tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Working as expected as well with the Trusty kernel:
$ dpkg -l | grep 166
ii linux-generic 3.13.0.166.177 amd64 Complete Generic Linux kernel and headers
ii linux-headers-
ii linux-headers-
ii linux-headers-
ii linux-image-
ii linux-image-generic 3.13.0.166.177 amd64 Generic Linux kernel image
ii linux-modules-
ii linux-modules-
| tags: |
added: verification-done-trusty removed: verification-needed-trusty |
| Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux - 3.13.0-166.216
---------------
linux (3.13.0-166.216) trusty; urgency=medium
* linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)
* linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
- [Packaging] autoreconstruct -- base tag is always primary mainline version
* signing: only install a signed kernel (LP: #1764794)
- [Debian] usbip tools packaging
- [Debian] Don't fail if a symlink already exists
- [Debian] perf -- build in the context of the full generated local headers
- [Debian] basic hook support
- [Debian] follow rename of DEB_BUILD_PROFILES
- [Debian] standardise on stage1 for the bootstrap stage in line with debian
- [Debian] set do_*_tools after stage1 or bootstrap is determined
- [Debian] initscripts need installing when making the package
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Debian] add feature interlock with mainline builds
- [Debian] Remove generated intermediate files on clean
- [Packaging] prevent linux-*
packages
- SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
- [Debian] Update to new signing key type and location
- [Packaging] autoreconstruct -- generate extend-diff-ignore for links
- [Packaging] reconstruct -- update when inserting final changes
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] skip cloud tools packaging when not building package
- [debian] pre...
| Changed in linux (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package linux - 4.4.0-143.169
---------------
linux (4.4.0-143.169) xenial; urgency=medium
* linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)
* x86/kvm: Backport fixup and missing commits (LP: #1811646)
- KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
- kvm: nVMX: VMCLEAR an active shadow VMCS after last use
- X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
path as unlikely()
- kvm: x86: IA32_ARCH_
- KVM: SVM: Add MSR-based feature support for serializing LFENCE
- KVM: X86: Allow userspace to define the microcode version
- KVM: x86: SVM: Call x86_spec_
- KVM: VMX: fixes for vmentry_l1d_flush module parameter
- kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- kvm: vmx: Scrub hardware GPRs at VM-exit
- SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
- SAUCE: KVM: Move code fragments, cleanup and re-indent
* linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
* signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] zfs/spl -- enhance provides information
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] Add linux-tools-host package for VM host tools
- [Packaging] signing should be conditional
- [Packaging] skip cloud tools packaging when not building package
- [Packaging] add acpidbg
- [debian] prep linu...
| Changed in linux (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| status: | Fix Committed → Fix Released |
| tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1764794
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.