* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical -livepatch/ current/ keys/livepatch- kmod.x509 -noout -fingerprint -sha256 A4:1E:49: 06:12:DD: 38:56:F9: 78:82:E3: 66:66:9E: 95:15:78: 8E:65:68: 50:35:46: 0F:AC:59: 72:4A:5B: 92:FA
SHA256 Fingerprint=
kernel use pem format
$ openssl x509 -inform pem -in debian/ canonical- livepatch. pem -noout -fingerprint -sha256 A4:1E:49: 06:12:DD: 38:56:F9: 78:82:E3: 66:66:9E: 95:15:78: 8E:65:68: 50:35:46: 0F:AC:59: 72:4A:5B: 92:FA
SHA256 Fingerprint=