2020-10-06 12:22:12 |
Dimitri John Ledkov |
bug |
|
|
added bug |
2020-10-06 12:22:29 |
Dimitri John Ledkov |
linux (Ubuntu): status |
New |
Incomplete |
|
2020-10-06 14:00:05 |
Dimitri John Ledkov |
description |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA |
|
2020-10-06 14:28:44 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Bionic |
|
2020-10-06 14:28:44 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Bionic) |
|
2020-10-06 14:28:44 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Focal |
|
2020-10-06 14:28:44 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Focal) |
|
2020-10-06 14:29:17 |
Dimitri John Ledkov |
description |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?! |
|
2020-10-06 14:30:49 |
Dimitri John Ledkov |
description |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?! |
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256
SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?!
[Patch]
https://lists.ubuntu.com/archives/kernel-team/2020-October/113929.html |
|
2020-10-06 14:31:05 |
Dimitri John Ledkov |
attachment added |
|
0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+attachment/5418376/+files/0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch |
|
2020-10-06 14:31:13 |
Dimitri John Ledkov |
linux (Ubuntu): status |
Incomplete |
Triaged |
|
2020-10-06 16:28:47 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2020-10-06 16:28:48 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Terry Rudd |
2020-10-14 15:45:34 |
Matthieu Clemenceau |
tags |
patch |
fr-797 patch |
|
2021-02-19 09:15:06 |
Stefan Bader |
nominated for series |
|
Ubuntu Groovy |
|
2021-02-19 09:15:06 |
Stefan Bader |
bug task added |
|
linux (Ubuntu Groovy) |
|
2021-02-19 09:15:29 |
Stefan Bader |
linux (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2021-02-19 09:15:29 |
Stefan Bader |
linux (Ubuntu Groovy): status |
New |
In Progress |
|
2021-02-19 09:15:41 |
Stefan Bader |
linux (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-02-19 09:15:41 |
Stefan Bader |
linux (Ubuntu Focal): status |
New |
Triaged |
|
2021-02-19 09:16:00 |
Stefan Bader |
linux (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2021-02-19 09:16:00 |
Stefan Bader |
linux (Ubuntu Bionic): status |
New |
Triaged |
|
2021-02-19 09:16:09 |
Stefan Bader |
linux (Ubuntu): status |
Triaged |
Fix Committed |
|
2021-02-19 09:16:13 |
Stefan Bader |
linux (Ubuntu): importance |
Undecided |
Medium |
|
2021-02-19 09:24:37 |
Stefan Bader |
linux (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
2021-02-19 15:27:21 |
Stefan Bader |
linux (Ubuntu Focal): status |
Triaged |
Fix Committed |
|
2021-02-24 13:20:22 |
Ubuntu Kernel Bot |
tags |
fr-797 patch |
fr-797 patch verification-needed-groovy |
|
2021-02-24 13:21:55 |
Ubuntu Kernel Bot |
tags |
fr-797 patch verification-needed-groovy |
fr-797 patch verification-needed-focal verification-needed-groovy |
|
2021-02-25 18:02:14 |
Tim Gardner |
affects |
linux (Ubuntu Groovy) |
linux-kvm (Ubuntu Groovy) |
|
2021-02-25 18:02:14 |
Tim Gardner |
linux-kvm (Ubuntu Groovy): status |
Fix Committed |
Confirmed |
|
2021-02-25 18:02:36 |
Tim Gardner |
affects |
linux-kvm (Ubuntu) |
linux (Ubuntu) |
|
2021-02-25 18:02:51 |
Tim Gardner |
linux (Ubuntu Groovy): status |
Confirmed |
Fix Committed |
|
2021-02-25 18:02:57 |
Tim Gardner |
linux (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2021-02-25 18:03:09 |
Tim Gardner |
bug task added |
|
linux-kvm (Ubuntu) |
|
2021-02-25 18:03:37 |
Tim Gardner |
linux-kvm (Ubuntu Groovy): status |
New |
Confirmed |
|
2021-02-25 18:03:43 |
Tim Gardner |
linux-kvm (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2021-02-25 18:03:47 |
Tim Gardner |
linux-kvm (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-02-25 18:03:51 |
Tim Gardner |
linux-kvm (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2021-02-25 18:03:56 |
Tim Gardner |
linux-kvm (Ubuntu Focal): status |
New |
Confirmed |
|
2021-02-25 18:04:01 |
Tim Gardner |
linux-kvm (Ubuntu Bionic): status |
New |
Confirmed |
|
2021-02-25 18:04:06 |
Tim Gardner |
linux-kvm (Ubuntu): status |
New |
Confirmed |
|
2021-02-25 23:59:35 |
Tim Gardner |
bug task added |
|
linux-gcp (Ubuntu) |
|
2021-02-26 00:00:53 |
Tim Gardner |
linux-gcp (Ubuntu): status |
New |
Confirmed |
|
2021-02-26 00:01:07 |
Tim Gardner |
linux-gcp (Ubuntu): importance |
Undecided |
Medium |
|
2021-02-26 00:01:29 |
Tim Gardner |
linux-gcp (Ubuntu Focal): importance |
Undecided |
Medium |
|
2021-02-26 00:01:29 |
Tim Gardner |
linux-gcp (Ubuntu Focal): status |
New |
Confirmed |
|
2021-03-08 15:29:09 |
Stefan Bader |
tags |
fr-797 patch verification-needed-focal verification-needed-groovy |
fr-797 patch verification-done-focal verification-needed-groovy |
|
2021-03-09 10:38:03 |
Stefan Bader |
tags |
fr-797 patch verification-done-focal verification-needed-groovy |
fr-797 patch verification-done-focal verification-done-groovy |
|
2021-03-15 08:16:01 |
Launchpad Janitor |
linux (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
2021-03-15 08:16:01 |
Launchpad Janitor |
cve linked |
|
2021-20194 |
|
2021-03-15 08:18:16 |
Launchpad Janitor |
linux-gcp (Ubuntu Groovy): status |
New |
Fix Released |
|
2021-03-15 08:19:05 |
Launchpad Janitor |
linux-kvm (Ubuntu Groovy): status |
Confirmed |
Fix Released |
|
2021-03-15 08:44:41 |
Launchpad Janitor |
linux (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-03-15 08:47:47 |
Launchpad Janitor |
linux-gcp (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
2021-03-15 08:50:48 |
Launchpad Janitor |
linux-kvm (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
2021-03-17 17:16:45 |
Launchpad Janitor |
linux-kvm (Ubuntu): status |
Confirmed |
Fix Released |
|
2021-03-17 17:16:45 |
Launchpad Janitor |
cve linked |
|
2020-27777 |
|
2021-03-17 17:16:45 |
Launchpad Janitor |
cve linked |
|
2020-28974 |
|
2021-03-17 23:04:16 |
Launchpad Janitor |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
2021-03-17 23:04:26 |
Launchpad Janitor |
linux-gcp (Ubuntu): status |
Confirmed |
Fix Released |
|
2021-03-25 15:23:27 |
Ubuntu Kernel Bot |
tags |
fr-797 patch verification-done-focal verification-done-groovy |
fr-797 patch verification-done-focal verification-done-groovy verification-needed-bionic |
|
2021-04-06 09:50:00 |
Stefan Bader |
tags |
fr-797 patch verification-done-focal verification-done-groovy verification-needed-bionic |
fr-797 patch verification-done-bionic verification-done-focal verification-done-groovy |
|
2021-04-12 15:17:02 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-04-12 15:17:02 |
Launchpad Janitor |
cve linked |
|
2018-13095 |
|
2021-04-12 15:17:02 |
Launchpad Janitor |
cve linked |
|
2021-3348 |
|
2021-04-12 15:28:37 |
Launchpad Janitor |
linux-kvm (Ubuntu Bionic): status |
Confirmed |
Fix Released |
|