signing: only install a signed kernel

Bug #1764794 reported by Andy Whitcroft on 2018-04-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Trusty
High
Andy Whitcroft
Xenial
High
Andy Whitcroft

Bug Description

We should switch the default kernel install to the signed kernel. This makes it much harder to uninstall the signed kernel in environments which enforce the kernel to be signed. Boot loaders which can understand and validate it want the signed image, those which do not should ignore the appended signature.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1764794

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Seth Forshee (sforshee) on 2018-04-19
Changed in linux (Ubuntu):
status: Incomplete → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (35.7 KiB)

This bug was fixed in the package linux - 4.15.0-19.20

---------------
linux (4.15.0-19.20) bionic; urgency=medium

  * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)

  * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
    - Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
    - Revert "genirq/affinity: assign vectors to all possible CPUs"

linux (4.15.0-18.19) bionic; urgency=medium

  * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)

  * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel:
    meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
    (LP: #1765429)
    - powerpc/pseries: Fix clearing of security feature flags

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Config] signing -- enable Opal signing for ppc64el
    - [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
    - [Packaging] signing -- add support for signing Opal kernel binaries

  * Please cherrypick s390 unwind fix (LP: #1765083)
    - s390/compat: fix setup_frame32

  * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
    [ipr] (LP: #1751813)
    - d-i: move ipr to storage-core-modules on ppc64el

  * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816)
    - SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm

  * Miscellaneous Ubuntu changes
    - [Packaging] Add linux-oem to rebuild test blacklist.

linux (4.15.0-17.18) bionic; urgency=medium

  * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)

  * Eventual OOM with profile reloads (LP: #1750594)
    - SAUCE: apparmor: fix memory leak when duplicate profile load

linux (4.15.0-16.17) bionic; urgency=medium

  * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)

  * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
    - [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y

  * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
    - SAUCE: usb: typec: ucsi: Increase command completion timeout value

  * Fix trying to "push" an already active pool VP (LP: #1763386)
    - SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP

  * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
      userspace"
    - Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
    - scsi: hisi_sas: modify some register config for hip08
    - scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE()

  * Realtek card reader - RTS5243 [VEN_10EC&DEV_5260] (LP: #1737673)
    - misc: rtsx: Move Realtek Card Reader Driver to misc
    - updateconfigs for Realtek Card Reader Driver
    - misc: rtsx: Add support for RTS5260
    - misc: rtsx: Fix symbol clashes

  * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
    ./include/linux/net_dim.h (LP: #1...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Jarno Suni (jarnos) on 2018-07-06
description: updated
Andy Whitcroft (apw) on 2019-01-30
Changed in linux (Ubuntu Trusty):
status: New → In Progress
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu Trusty):
assignee: nobody → Andy Whitcroft (apw)
Stefan Bader (smb) on 2019-02-04
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Stefan Bader (smb) on 2019-02-05
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Jarno Suni (jarnos) wrote :

Is there similar verification needed for Xenial?

Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Jarno Suni (jarnos) wrote :

Testing this required updating several packages from xenial-proposed

In order to install them all I ran this:

sudo apt install -t=xenial-proposed linux-signed-generic linux-generic

(which is something that is not told in the previous document)

In its execution an error occurred; here is an extraction of the part of the output:

/etc/kernel/header_postinst.d/dkms:
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.104/build/make.log for more information.
Setting up linux-headers-generic (4.4.0.143.150) ...
Setting up linux-generic (4.4.0.143.150) ...
Processing triggers for linux-image-4.4.0-143-generic (4.4.0-143.169) ...
/etc/kernel/postinst.d/dkms:
ERROR: Cannot create report: [Errno 17] File exists: '/var/crash/nvidia-340.0.crash'
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.104/build/make.log for more information.

If I would use open source driver nouveu, instead, I could test this, but I would not be able to use HDMI IIRC. Well, I'll try.

Jarno Suni (jarnos) wrote :

$ dpkg -l |grep 'linux.*-image.*'
ii linux-image-4.4.0-140-generic 4.4.0-140.166 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-141-generic 4.4.0-141.167 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-142-generic 4.4.0-142.168 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-4.4.0-143-generic 4.4.0-143.169 amd64 Signed kernel image generic
ii linux-image-extra-4.4.0-140-generic 4.4.0-140.166 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-141-generic 4.4.0-141.167 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-extra-4.4.0-142-generic 4.4.0-142.168 amd64 Linux kernel extra modules for version 4.4.0 on 64 bit x86 SMP
ii linux-image-generic 4.4.0.143.150 amd64 Generic Linux kernel image
ii linux-signed-image-4.4.0-140-generic 4.4.0-140.166 amd64 Signed kernel image generic
ii linux-signed-image-4.4.0-141-generic 4.4.0-141.167 amd64 Signed kernel image generic
ii linux-signed-image-4.4.0-142-generic 4.4.0-142.168 amd64 Signed kernel image generic
ii linux-signed-image-generic 4.4.0.142.148 amd64 Signed Generic Linux kernel image
jarnos@jarno-hp8510w:~/.init$ uname -r
4.4.0-143-generic

tags: added: verification-done-xenial
removed: verification-needed-xenial
Doug McMahon (mc3man) wrote :

This update breaks the use of nvidia drivers in both 14.04 & 16.04
See https://bugs.launchpad.net/ubuntu/+source/linux-meta-lts-xenial/+bug/1816768

tags: added: verification-needed-xenial
removed: verification-done-xenial

Hi all,

The dkms build failures are not caused by the changes made for this bug report. They were caused by some changes on get_user_pages() we pulled from the 4.4 upstream stable (see bug 1818101 and bug 1818049).

Thank you.

tags: added: verification-done-xenial
removed: verification-needed-xenial

Working as expected as well with the Trusty kernel:

$ dpkg -l | grep 166
ii linux-generic 3.13.0.166.177 amd64 Complete Generic Linux kernel and headers
ii linux-headers-3.13.0-166 3.13.0-166.216 all Header files related to Linux kernel version 3.13.0
ii linux-headers-3.13.0-166-generic 3.13.0-166.216 amd64 Linux kernel headers for version 3.13.0 on 64 bit x86 SMP
ii linux-headers-generic 3.13.0.166.177 amd64 Generic Linux kernel headers
ii linux-image-3.13.0-166-generic 3.13.0-166.216 amd64 Signed kernel image generic
ii linux-image-generic 3.13.0.166.177 amd64 Generic Linux kernel image
ii linux-modules-3.13.0-166-generic 3.13.0-166.216 amd64 Linux kernel extra modules for version 3.13.0 on 64 bit x86 SMP
ii linux-modules-extra-3.13.0-166-generic 3.13.0-166.216 amd64 Linux kernel extra modules for version 3.13.0 on 64 bit x86 SMP

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package linux - 3.13.0-166.216

---------------
linux (3.13.0-166.216) trusty; urgency=medium

  * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version
    - [Packaging] autoreconstruct -- base tag is always primary mainline version

  * signing: only install a signed kernel (LP: #1764794)
    - [Debian] usbip tools packaging
    - [Debian] Don't fail if a symlink already exists
    - [Debian] perf -- build in the context of the full generated local headers
    - [Debian] basic hook support
    - [Debian] follow rename of DEB_BUILD_PROFILES
    - [Debian] standardise on stage1 for the bootstrap stage in line with debian
    - [Debian] set do_*_tools after stage1 or bootstrap is determined
    - [Debian] initscripts need installing when making the package
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Debian] add feature interlock with mainline builds
    - [Debian] Remove generated intermediate files on clean
    - [Packaging] prevent linux-*-tools-common from being produced from non linux
      packages
    - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
    - [Debian] Update to new signing key type and location
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
    - [Packaging] reconstruct -- update when inserting final changes
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] skip cloud tools packaging when not building package
    - [debian] pre...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (16.2 KiB)

This bug was fixed in the package linux - 4.4.0-143.169

---------------
linux (4.4.0-143.169) xenial; urgency=medium

  * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)

  * x86/kvm: Backport fixup and missing commits (LP: #1811646)
    - KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
    - kvm: nVMX: VMCLEAR an active shadow VMCS after last use
    - X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
    - KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
      path as unlikely()
    - kvm: x86: IA32_ARCH_CAPABILITIES is always supported
    - KVM: SVM: Add MSR-based feature support for serializing LFENCE
    - KVM: X86: Allow userspace to define the microcode version
    - KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
    - KVM: VMX: fixes for vmentry_l1d_flush module parameter
    - kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
    - kvm: vmx: Scrub hardware GPRs at VM-exit
    - SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
    - SAUCE: KVM: Move code fragments, cleanup and re-indent

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] zfs/spl -- enhance provides information
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] Add linux-tools-host package for VM host tools
    - [Packaging] signing should be conditional
    - [Packaging] skip cloud tools packaging when not building package
    - [Packaging] add acpidbg
    - [debian] prep linu...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers