linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images

Bug #2019040 reported by Luca Boccassi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Tim Gardner
Jammy
Fix Released
Medium
Tim Gardner
Kinetic
Fix Committed
Medium
Tim Gardner
Lunar
Fix Released
Medium
Tim Gardner
Mantic
Fix Committed
Medium
Tim Gardner
linux-kvm (Ubuntu)
Invalid
Medium
Tim Gardner
Jammy
Fix Released
Medium
Tim Gardner
Kinetic
Invalid
Medium
Tim Gardner
Lunar
Fix Released
Medium
Tim Gardner
Mantic
Invalid
Medium
Tim Gardner
linux-meta-azure (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned
linux-meta-kvm (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Invalid
Undecided
Unassigned
Kinetic
Invalid
Undecided
Unassigned
Lunar
Invalid
Undecided
Unassigned
Mantic
Invalid
Undecided
Unassigned

Bug Description

SRU Justification

[Impact]

The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour.

[Fix]

Please consider enabling the following kconfigs:

CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
CONFIG_INTEGRITY_MACHINE_KEYRING
CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig)

(The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring)

These are already enabled in the 'main' kernel config, and in other distros.

As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel.

To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.:

$ sudo keyctl show %:.secondary_trusted_keys
Keyring
 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys
  88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys
 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f
 541326986 ---lswrv 0 0 \_ keyring: .machine
 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479

[Regression Potential]

MOK keys may not be correctly read.

Revision history for this message
Luca Boccassi (bluca) wrote :

Also, please enable CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING on the cloud kernels - especially I am interested in the Azure one. Same reason as above - the other options are already enabled there.

Luca Boccassi (bluca)
summary: - linux-kvm: please enable dm-verity kconfigs
+ linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
+ images
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 2019040

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Luca Boccassi (bluca) wrote :

There's no specific log to share, I've downloaded the kconfig for the kvm flavour from the linux-buildinfo-6.2.0-1003-kvm_6.2.0-1003.3_amd64.deb package, extracted usr/lib/linux/6.2.0-1003-kvm/config and checked for these kconfigs, and they are not present:

$ grep DM_VERITY config
# CONFIG_DM_VERITY is not set
$ grep IMA_ARCH config
$

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Tim Gardner (timg-tpi)
Changed in linux-meta-azure (Ubuntu):
status: New → Invalid
Changed in linux-meta-kvm (Ubuntu):
status: New → Invalid
Changed in linux (Ubuntu):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: Confirmed → In Progress
Changed in linux (Ubuntu Jammy):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Kinetic):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Lunar):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
description: updated
Tim Gardner (timg-tpi)
Changed in linux-kvm (Ubuntu Jammy):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-kvm (Ubuntu Kinetic):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-kvm (Ubuntu Lunar):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-kvm (Ubuntu Mantic):
assignee: nobody → Tim Gardner (timg-tpi)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-meta-azure (Ubuntu Jammy):
status: New → Invalid
Changed in linux-meta-azure (Ubuntu Kinetic):
status: New → Invalid
Revision history for this message
Tim Gardner (timg-tpi) wrote :

Submitted patches for review: https://lists.ubuntu.com/archives/kernel-team/2023-May/139435.html

Note that the proposed patches do not include IMA_ARCH given the performance impacts that option imposes.

Revision history for this message
Luca Boccassi (bluca) wrote :

Thank you!

Do you have details about the performance impact of IMA_ARCH?

Revision history for this message
Luca Boccassi (bluca) wrote :

Hi, any update on these configs changes? Have they been queued?

Stefan Bader (smb)
Changed in linux (Ubuntu Lunar):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Kinetic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-77.84 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.2.0-25.25 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux verification-needed-lunar
Revision history for this message
Luca Boccassi (bluca) wrote :

linux-generic looks good, thanks. Will the changes to linux-kvm and linux-azure be merged separately later?

tags: added: verification-done-jammy verification-done-lunar
removed: verification-needed-jammy verification-needed-lunar
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.19.0-47.49 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-kinetic-linux verification-needed-kinetic
Luca Boccassi (bluca)
tags: added: verification-done-kinetic
removed: verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.4 KiB)

This bug was fixed in the package linux - 6.2.0-25.25

---------------
linux (6.2.0-25.25) lunar; urgency=medium

  * lunar/linux: 6.2.0-25.25 -proposed tracker (LP: #2024167)

  * ftrace in ubuntu_kernel_selftests failed with "check if duplicate events are
    caught" on J-5.15 P9 / J-kvm / L-kvm (LP: #1977827)
    - SAUCE: selftests/ftrace: Add test dependency

  * Add microphone support of the front headphone port on P3 Tower
    (LP: #2023650)
    - ALSA: hda/realtek: Add Lenovo P3 Tower platform

  * Add audio support for ThinkPad P1 Gen 6 and Z16 Gen 2 (LP: #2023539)
    - ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6

  * Fix Disable thunderbolt clx make edp-monitor garbage while moving the
    touchpad (LP: #2023004)
    - drm/i915: Use 18 fast wake AUX sync len

  * Fix Monitor lost after replug WD19TBS to SUT port with VGA/DVI to type-C
    dongle (LP: #2021949)
    - thunderbolt: Increase timeout of DP OUT adapter handshake
    - thunderbolt: Do not touch CL state configuration during discovery
    - thunderbolt: Increase DisplayPort Connection Manager handshake timeout

  * Enable Tracing Configs for OSNOISE and TIMERLAT (LP: #2018591)
    - [Config] Enable OSNOISE_TRACER and TIMERLAT_TRACER configs

  * Fix only reach PC3 when ethernet is plugged r8169 (LP: #1946433)
    - r8169: use spinlock to protect mac ocp register access
    - r8169: use spinlock to protect access to registers Config2 and Config5
    - r8169: enable cfg9346 config register access in atomic context
    - r8169: prepare rtl_hw_aspm_clkreq_enable for usage in atomic context
    - r8169: disable ASPM during NAPI poll
    - r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll

  * introduce do_lib_rust=true|false to enable/disable linux-lib-rust package
    (LP: #2021605)
    - [Packaging] introduce do_lib_rust and enable it only on generic amd64

  * System either hang with black screen or rebooted on entering suspend on AMD
    Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics (LP: #2020685)
    - drm/amdgpu: refine get gpu clock counter method
    - drm/amdgpu/gfx11: update gpu_clock_counter logic

  * generate linux-lib-rust only on amd64 (LP: #2020356)
    - [Packaging] generate linux-lib-rust only on amd64

  * No HDMI/DP audio output on dock(Nvidia GPU) (LP: #2020062)
    - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table

  * Add support for mdev_set_iommu_device() kABI in Ubuntu 22.10 kernel
    (LP: #1988806)
    - SAUCE: Add mdev_set_iommu_device() kABI.

  * Enable audio LEDs on HP laptops (LP: #2019915)
    - ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop
    - ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop

  * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
    images (LP: #2019040)
    - [Config] CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

  * Lunar update: v6.2.13 upstream stable release (LP: #2023929)
    - ARM: dts: rockchip: fix a typo error for rk3288 spdif node
    - arm64: dts: rockchip: Lower sd speed on rk3566-soquartz
    - arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node
    - arm64: dts: qcom: ipq8074-hk10: ...

Changed in linux (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.7 KiB)

This bug was fixed in the package linux-kvm - 6.2.0-1008.8

---------------
linux-kvm (6.2.0-1008.8) lunar; urgency=medium

  * lunar/linux-kvm: 6.2.0-1008.8 -proposed tracker (LP: #2025454)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper

  * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
    images (LP: #2019040)
    - [Config] CONFIG_DM_VERITY=m

  [ Ubuntu: 6.2.0-25.25 ]

  * lunar/linux: 6.2.0-25.25 -proposed tracker (LP: #2024167)
  * ftrace in ubuntu_kernel_selftests failed with "check if duplicate events are
    caught" on J-5.15 P9 / J-kvm / L-kvm (LP: #1977827)
    - SAUCE: selftests/ftrace: Add test dependency
  * Add microphone support of the front headphone port on P3 Tower
    (LP: #2023650)
    - ALSA: hda/realtek: Add Lenovo P3 Tower platform
  * Add audio support for ThinkPad P1 Gen 6 and Z16 Gen 2 (LP: #2023539)
    - ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6
  * Fix Disable thunderbolt clx make edp-monitor garbage while moving the
    touchpad (LP: #2023004)
    - drm/i915: Use 18 fast wake AUX sync len
  * Fix Monitor lost after replug WD19TBS to SUT port with VGA/DVI to type-C
    dongle (LP: #2021949)
    - thunderbolt: Increase timeout of DP OUT adapter handshake
    - thunderbolt: Do not touch CL state configuration during discovery
    - thunderbolt: Increase DisplayPort Connection Manager handshake timeout
  * Enable Tracing Configs for OSNOISE and TIMERLAT (LP: #2018591)
    - [Config] Enable OSNOISE_TRACER and TIMERLAT_TRACER configs
  * Fix only reach PC3 when ethernet is plugged r8169 (LP: #1946433)
    - r8169: use spinlock to protect mac ocp register access
    - r8169: use spinlock to protect access to registers Config2 and Config5
    - r8169: enable cfg9346 config register access in atomic context
    - r8169: prepare rtl_hw_aspm_clkreq_enable for usage in atomic context
    - r8169: disable ASPM during NAPI poll
    - r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll
  * introduce do_lib_rust=true|false to enable/disable linux-lib-rust package
    (LP: #2021605)
    - [Packaging] introduce do_lib_rust and enable it only on generic amd64
  * System either hang with black screen or rebooted on entering suspend on AMD
    Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics (LP: #2020685)
    - drm/amdgpu: refine get gpu clock counter method
    - drm/amdgpu/gfx11: update gpu_clock_counter logic
  * generate linux-lib-rust only on amd64 (LP: #2020356)
    - [Packaging] generate linux-lib-rust only on amd64
  * No HDMI/DP audio output on dock(Nvidia GPU) (LP: #2020062)
    - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
  * Add support for mdev_set_iommu_device() kABI in Ubuntu 22.10 kernel
    (LP: #1988806)
    - SAUCE: Add mdev_set_iommu_device() kABI.
  * Enable audio LEDs on HP laptops (LP: #2019915)
    - ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop
    - ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop
  * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
    images (LP: #2019040)
    - [Config] CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDA...

Changed in linux-kvm (Ubuntu Lunar):
status: In Progress → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-riscv/6.2.0-27.28.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-riscv verification-needed-lunar
removed: verification-done-lunar
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.2.0-1009.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-lunar-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-6.2/6.2.0-26.26~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-hwe-6.2 verification-needed-jammy
removed: verification-done-jammy
Revision history for this message
Stefan Bader (smb) wrote :

Not quite sure why this got re-activated for 6.2 backport kernels. Should already be handled for Lunar originals but for completeness:

$ dpkg -x linux-buildinfo-6.2.0-26-generic_6.2.0-26.26~22.04.1_amd64.deb unpack
$ grep VERITY_VERIFY unpack/usr/lib/linux/6.2.0-26-generic/config
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

tags: added: verification-done-jammy
removed: verification-needed-jammy
tags: added: verification-done-lunar
removed: verification-needed-lunar
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra-igx/5.15.0-1002.2 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra-igx verification-needed-jammy
removed: verification-done-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra-5.15/5.15.0-1016.16~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-nvidia-tegra-5.15 verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-tegra/5.15.0-1016.16 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-tegra
Luca Boccassi (bluca)
description: updated
description: updated
Luca Boccassi (bluca)
description: updated
description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@all
First I checked with Luca and understood that he considers it generally good to enable those options, but his immediate need atm is on azure.

@Luca
I talked to a friend (thanks Gauthier) in regard to have a look at these options in the current azure kernel. At least there, on current lunar, the options seem to be already in place:

ubuntu@lunar:~$ uname -r
6.2.0-1008-azure
ubuntu@lunar:~$ grep -i dm_verity /boot/config-6.2.0-1008-azure
CONFIG_DM_VERITY=m
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y
# CONFIG_DM_VERITY_FEC is not set
ubuntu@lunar:~$ grep -i CONFIG_IMA_ARCH_POLICY /boot/config-6.2.0-1008-azure
CONFIG_IMA_ARCH_POLICY=y

Revision history for this message
Luca Boccassi (bluca) wrote :

Excellent, thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (83.7 KiB)

This bug was fixed in the package linux - 5.15.0-79.86

---------------
linux (5.15.0-79.86) jammy; urgency=medium

  * jammy/linux: 5.15.0-79.86 -proposed tracker (LP: #2026531)

  * Jammy update: v5.15.111 upstream stable release (LP: #2025095)
    - ASOC: Intel: sof_sdw: add quirk for Intel 'Rooks County' NUC M15
    - ASoC: soc-pcm: fix hw->formats cleared by soc_pcm_hw_init() for dpcm
    - x86/hyperv: Block root partition functionality in a Confidential VM
    - iio: adc: palmas_gpadc: fix NULL dereference on rmmod
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
    - selftests mount: Fix mount_setattr_test builds failed
    - asm-generic/io.h: suppress endianness warnings for readq() and writeq()
    - x86/cpu: Add model number for Intel Arrow Lake processor
    - wireguard: timers: cast enum limits members to int in prints
    - wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset
    - arm64: Always load shadow stack pointer directly from the task struct
    - arm64: Stash shadow stack pointer in the task struct on interrupt
    - PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
    - PCI: qcom: Fix the incorrect register usage in v2.7.0 config
    - IMA: allow/fix UML builds
    - USB: dwc3: fix runtime pm imbalance on probe errors
    - USB: dwc3: fix runtime pm imbalance on unbind
    - hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
    - hwmon: (adt7475) Use device_property APIs when configuring polarity
    - posix-cpu-timers: Implement the missing timer_wait_running callback
    - blk-mq: release crypto keyslot before reporting I/O complete
    - blk-crypto: make blk_crypto_evict_key() return void
    - blk-crypto: make blk_crypto_evict_key() more robust
    - ext4: use ext4_journal_start/stop for fast commit transactions
    - staging: iio: resolver: ads1210: fix config mode
    - tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
    - xhci: fix debugfs register accesses while suspended
    - tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
    - MIPS: fw: Allow firmware to pass a empty env
    - ipmi:ssif: Add send_retries increment
    - ipmi: fix SSIF not responding under certain cond.
    - kheaders: Use array declaration instead of char
    - wifi: mt76: add missing locking to protect against concurrent rx/status
      calls
    - pwm: meson: Fix axg ao mux parents
    - pwm: meson: Fix g12a ao clk81 name
    - soundwire: qcom: correct setting ignore bit on v1.5.1
    - pinctrl: qcom: lpass-lpi: set output value before enabling output
    - ring-buffer: Sync IRQ works before buffer destruction
    - crypto: api - Demote BUG_ON() in crypto_unregister_alg() to a WARN_ON()
    - crypto: safexcel - Cleanup ring IRQ workqueues on load failure
    - rcu: Avoid stack overflow due to __rcu_irq_enter_check_tick() being kprobe-
      ed
    - reiserfs: Add security prefix to xattr name in reiserfs_security_write()
    - KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted
    - relayfs: fix out-of-bounds access in relay_file_read
    - writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs
 ...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (84.2 KiB)

This bug was fixed in the package linux-kvm - 5.15.0-1039.44

---------------
linux-kvm (5.15.0-1039.44) jammy; urgency=medium

  * jammy/linux-kvm: 5.15.0-1039.44 -proposed tracker (LP: #2026519)

  * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root
    images (LP: #2019040)
    - [Config] CONFIG_DM_VERITY=m
    - [Config] kvm: updateconfigs for CONFIG_DM_VERITY

  * Packaging resync (LP: #1786013)
    - [Packaging] resync update-dkms-versions helper
    - [Packaging] resync getabis

  * Miscellaneous Ubuntu changes
    - [Config] kvm: updateconfigs for ns module merger

  [ Ubuntu: 5.15.0-79.86 ]

  * jammy/linux: 5.15.0-79.86 -proposed tracker (LP: #2026531)
  * Jammy update: v5.15.111 upstream stable release (LP: #2025095)
    - ASOC: Intel: sof_sdw: add quirk for Intel 'Rooks County' NUC M15
    - ASoC: soc-pcm: fix hw->formats cleared by soc_pcm_hw_init() for dpcm
    - x86/hyperv: Block root partition functionality in a Confidential VM
    - iio: adc: palmas_gpadc: fix NULL dereference on rmmod
    - ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750
    - selftests mount: Fix mount_setattr_test builds failed
    - asm-generic/io.h: suppress endianness warnings for readq() and writeq()
    - x86/cpu: Add model number for Intel Arrow Lake processor
    - wireguard: timers: cast enum limits members to int in prints
    - wifi: mt76: mt7921e: Set memory space enable in PCI_COMMAND if unset
    - arm64: Always load shadow stack pointer directly from the task struct
    - arm64: Stash shadow stack pointer in the task struct on interrupt
    - PCI: pciehp: Fix AB-BA deadlock between reset_lock and device_lock
    - PCI: qcom: Fix the incorrect register usage in v2.7.0 config
    - IMA: allow/fix UML builds
    - USB: dwc3: fix runtime pm imbalance on probe errors
    - USB: dwc3: fix runtime pm imbalance on unbind
    - hwmon: (k10temp) Check range scale when CUR_TEMP register is read-write
    - hwmon: (adt7475) Use device_property APIs when configuring polarity
    - posix-cpu-timers: Implement the missing timer_wait_running callback
    - blk-mq: release crypto keyslot before reporting I/O complete
    - blk-crypto: make blk_crypto_evict_key() return void
    - blk-crypto: make blk_crypto_evict_key() more robust
    - ext4: use ext4_journal_start/stop for fast commit transactions
    - staging: iio: resolver: ads1210: fix config mode
    - tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
    - xhci: fix debugfs register accesses while suspended
    - tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem
    - MIPS: fw: Allow firmware to pass a empty env
    - ipmi:ssif: Add send_retries increment
    - ipmi: fix SSIF not responding under certain cond.
    - kheaders: Use array declaration instead of char
    - wifi: mt76: add missing locking to protect against concurrent rx/status
      calls
    - pwm: meson: Fix axg ao mux parents
    - pwm: meson: Fix g12a ao clk81 name
    - soundwire: qcom: correct setting ignore bit on v1.5.1
    - pinctrl: qcom: lpass-lpi: set output value before enabling output
    - ring-buffer: Sync IRQ works before buffer destruction
    - cryp...

Changed in linux-kvm (Ubuntu Jammy):
status: In Progress → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws/5.15.0-1044.49 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-aws' to 'verification-done-jammy-linux-aws'. If the problem still exists, change the tag 'verification-needed-jammy-linux-aws' to 'verification-failed-jammy-linux-aws'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-aws-v2 verification-needed-jammy-linux-aws
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/5.15.0-1046.53 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-azure' to 'verification-done-jammy-linux-azure'. If the problem still exists, change the tag 'verification-needed-jammy-linux-azure' to 'verification-failed-jammy-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-azure-v2 verification-needed-jammy-linux-azure
Luca Boccassi (bluca)
tags: removed: verification-needed-focal verification-needed-jammy verification-needed-jammy-linux-aws verification-needed-jammy-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-aws-5.15/5.15.0-1046.51~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-done-focal-linux-aws-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-failed-focal-linux-aws-5.15'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-aws-5.15-v2 verification-needed-focal-linux-aws-5.15
Luca Boccassi (bluca)
tags: removed: verification-needed-focal-linux-aws-5.15
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-xilinx-zynqmp/5.15.0-1024.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-done-jammy-linux-xilinx-zynqmp'. If the problem still exists, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-failed-jammy-linux-xilinx-zynqmp'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-xilinx-zynqmp-v2 verification-needed-jammy-linux-xilinx-zynqmp
Stefan Bader (smb)
Changed in linux (Ubuntu Mantic):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Mantic):
status: In Progress → Invalid
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux' to 'verification-done-mantic-linux'. If the problem still exists, change the tag 'verification-needed-mantic-linux' to 'verification-failed-mantic-linux'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux
Tim Gardner (timg-tpi)
tags: added: verification-done-mantic-linux
removed: verification-needed-mantic-linux
Tim Gardner (timg-tpi)
tags: added: verification-done-jammy-linux-xilinx-zynqmp
removed: verification-needed-jammy-linux-xilinx-zynqmp
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-laptop/6.5.0-1007.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-done-mantic-linux-laptop'. If the problem still exists, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-failed-mantic-linux-laptop'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-mantic-linux-laptop-v2 verification-needed-mantic-linux-laptop
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-gcp/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-gcp' to 'verification-done-mantic-linux-gcp'. If the problem still exists, change the tag 'verification-needed-mantic-linux-gcp' to 'verification-failed-mantic-linux-gcp'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-mantic-linux-gcp-v2 verification-needed-mantic-linux-gcp
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-azure/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-azure' to 'verification-done-mantic-linux-azure'. If the problem still exists, change the tag 'verification-needed-mantic-linux-azure' to 'verification-failed-mantic-linux-azure'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-mantic-linux-azure-v2 verification-needed-mantic-linux-azure
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-6.5/6.5.0-14.14~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-hwe-6.5' to 'verification-done-jammy-linux-hwe-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-hwe-6.5' to 'verification-failed-jammy-linux-hwe-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-hwe-6.5-v2 verification-needed-jammy-linux-hwe-6.5
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-nvidia-6.5/6.5.0-1007.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-done-jammy-linux-nvidia-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-failed-jammy-linux-nvidia-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-nvidia-6.5-v2 verification-needed-jammy-linux-nvidia-6.5
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (32.3 KiB)

This bug was fixed in the package linux - 6.6.0-14.14

---------------
linux (6.6.0-14.14) noble; urgency=medium

  * noble/linux: 6.6.0-14.14 -proposed tracker (LP: #2045243)

  * Noble update: v6.6.3 upstream stable release (LP: #2045244)
    - locking/ww_mutex/test: Fix potential workqueue corruption
    - btrfs: abort transaction on generation mismatch when marking eb as dirty
    - lib/generic-radix-tree.c: Don't overflow in peek()
    - x86/retpoline: Make sure there are no unconverted return thunks due to KCSAN
    - perf/core: Bail out early if the request AUX area is out of bound
    - srcu: Fix srcu_struct node grpmask overflow on 64-bit systems
    - selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config
    - clocksource/drivers/timer-imx-gpt: Fix potential memory leak
    - clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware
    - srcu: Only accelerate on enqueue time
    - smp,csd: Throw an error if a CSD lock is stuck for too long
    - cpu/hotplug: Don't offline the last non-isolated CPU
    - workqueue: Provide one lock class key per work_on_cpu() callsite
    - x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size
    - wifi: plfxlc: fix clang-specific fortify warning
    - wifi: ath12k: Ignore fragments from uninitialized peer in dp
    - wifi: mac80211_hwsim: fix clang-specific fortify warning
    - wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
    - atl1c: Work around the DMA RX overflow issue
    - bpf: Detect IP == ksym.end as part of BPF program
    - wifi: ath9k: fix clang-specific fortify warnings
    - wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats()
    - wifi: ath10k: fix clang-specific fortify warning
    - wifi: ath12k: fix possible out-of-bound write in
      ath12k_wmi_ext_hal_reg_caps()
    - ACPI: APEI: Fix AER info corruption when error status data has multiple
      sections
    - net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI
    - wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023)
    - wifi: mt76: fix clang-specific fortify warnings
    - net: annotate data-races around sk->sk_tx_queue_mapping
    - net: annotate data-races around sk->sk_dst_pending_confirm
    - wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register()
    - wifi: ath10k: Don't touch the CE interrupt registers after power up
    - net: sfp: add quirk for FS's 2.5G copper SFP
    - vsock: read from socket's error queue
    - bpf: Ensure proper register state printing for cond jumps
    - wifi: iwlwifi: mvm: fix size check for fw_link_id
    - Bluetooth: btusb: Add date->evt_skb is NULL check
    - Bluetooth: Fix double free in hci_conn_cleanup
    - ACPI: EC: Add quirk for HP 250 G7 Notebook PC
    - tsnep: Fix tsnep_request_irq() format-overflow warning
    - gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010
    - platform/chrome: kunit: initialize lock for fake ec_dev
    - of: address: Fix address translation when address-size is greater than 2
    - platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e
    - drm/gma500: Fix call trace when psb_gem_mm_init() fails
    - drm/amdkfd: rateli...

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-lowlatency-hwe-6.5/6.5.0-14.14.1~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-lowlatency-hwe-6.5' to 'verification-done-jammy-linux-lowlatency-hwe-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-lowlatency-hwe-6.5' to 'verification-failed-jammy-linux-lowlatency-hwe-6.5'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-jammy-linux-lowlatency-hwe-6.5-v2 verification-needed-jammy-linux-lowlatency-hwe-6.5
Changed in linux-meta-azure (Ubuntu Lunar):
status: New → Invalid
Changed in linux-meta-kvm (Ubuntu Jammy):
status: New → Invalid
Changed in linux-meta-kvm (Ubuntu Kinetic):
status: New → Invalid
Changed in linux-meta-kvm (Ubuntu Lunar):
status: New → Invalid
Changed in linux-kvm (Ubuntu Kinetic):
status: In Progress → Invalid
Revision history for this message
Roxana Nicolescu (roxanan) wrote :

This bug VT is a mess.. Nevertheless.

Jammy:lowlatency-hwe-6.5
./amd64-config.flavour.lowlatency:3084:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
./amd64-config.flavour.lowlatency:3085:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

tags: added: verification-done-jammy-linux-lowlatency-hwe-6.5
removed: verification-needed-jammy-linux-lowlatency-hwe-6.5
tags: added: verification-done-jammy-linux-hwe-6.5 verification-needed-jammy-linux-lowlatency-hwe-6.5
removed: verification-done-jammy-linux-lowlatency-hwe-6.5 verification-needed-jammy-linux-hwe-6.5
Revision history for this message
Roxana Nicolescu (roxanan) wrote :

Jammy:hwe-6.5
CONFIGS/amd64-config.flavour.generic:3079:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIGS/amd64-config.flavour.generic:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

Revision history for this message
Roxana Nicolescu (roxanan) wrote :

jammy:nvidia-6.5
CONFIGS/amd64-config.flavour.nvidia:3079:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIGS/amd64-config.flavour.nvidia:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

tags: added: verification-done-jammy-linux-nvidia-6.5
removed: verification-needed-jammy-linux-nvidia-6.5
tags: added: verification-done-jammy-linux-lowlatency-hwe-6.5
removed: verification-needed-jammy-linux-lowlatency-hwe-6.5
Revision history for this message
Roxana Nicolescu (roxanan) wrote (last edit ):

mantic:linux-azure
CONFIGS/amd64-config.flavour.azure:2785:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIGS/amd64-config.flavour.azure:2786:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

tags: added: verification-done-mantic-linux-azure
removed: verification-needed-mantic-linux-azure
tags: added: verification-done-mantic-linux-gcp verification-done-mantic-linux-laptop
removed: verification-needed-mantic-linux-gcp verification-needed-mantic-linux-laptop
Revision history for this message
Roxana Nicolescu (roxanan) wrote :

mantic:linux-gcp
CONFIGS/amd64-config.flavour.gcp:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIGS/amd64-config.flavour.gcp:3081:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

Revision history for this message
Roxana Nicolescu (roxanan) wrote :

mantic:linux-laptop
CONFIGS/arm64-config.flavour.laptop:3151:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIGS/arm64-config.flavour.laptop:3152:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.