| 2021-06-15 14:13:51 |
Dimitri John Ledkov |
bug |
|
|
added bug |
| 2021-06-15 15:34:51 |
Dimitri John Ledkov |
description |
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to pass revoked certificates to the kernel and depending on how good EFI firmware is this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates. |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to pass revoked certificates to the kernel and depending on how good EFI firmware is this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. |
|
| 2021-06-15 15:35:38 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to pass revoked certificates to the kernel and depending on how good EFI firmware is this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. |
|
| 2021-07-04 17:42:57 |
Ubuntu Kernel Bot |
tags |
|
verification-needed-focal |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Hirsute) |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Focal |
|
| 2021-08-04 15:45:10 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Focal) |
|
| 2021-08-05 12:29:08 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
|
| 2021-08-13 09:08:49 |
Stefan Bader |
linux (Ubuntu Hirsute): importance |
Undecided |
Medium |
|
| 2021-08-13 09:08:49 |
Stefan Bader |
linux (Ubuntu Hirsute): status |
New |
Fix Committed |
|
| 2021-08-13 09:26:47 |
Stefan Bader |
linux (Ubuntu): status |
New |
Fix Released |
|
| 2021-08-17 14:42:26 |
Ubuntu Kernel Bot |
tags |
verification-needed-focal |
verification-needed-focal verification-needed-hirsute |
|
| 2021-09-01 10:27:04 |
Dimitri John Ledkov |
tags |
verification-needed-focal verification-needed-hirsute |
verification-done-hirsute verification-needed-focal |
|
| 2021-09-01 10:34:22 |
Dimitri John Ledkov |
tags |
verification-done-hirsute verification-needed-focal |
verification-done-focal verification-done-hirsute |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
linux (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2020-26541 |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2021-3653 |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2021-3656 |
|
| 2021-09-11 05:20:15 |
AceLan Kao |
bug task added |
|
linux-oem-5.10 (Ubuntu) |
|
| 2021-09-11 05:20:30 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-09-11 05:20:56 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-09-11 05:21:22 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Focal): status |
New |
Fix Committed |
|
| 2021-09-11 05:21:39 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-09-11 05:22:16 |
AceLan Kao |
linux-oem-5.10 (Ubuntu): status |
New |
Invalid |
|
| 2021-09-27 12:22:44 |
Dimitri John Ledkov |
bug task added |
|
linux-azure-5.8 (Ubuntu) |
|
| 2021-09-27 12:22:54 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-09-27 12:23:23 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-09-27 12:23:33 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-09-27 12:23:43 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu): status |
New |
Invalid |
|
| 2021-09-27 13:16:17 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains assymetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
|
| 2021-09-27 13:17:32 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
For kernels v5.8 and lower, also backport mokvar table driver to surface MOK variables from the EFI config table that shim installs, instead of relying on runtime efivars.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
|
| 2021-09-27 13:26:44 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
For kernels v5.8 and lower, also backport mokvar table driver to surface MOK variables from the EFI config table that shim installs, instead of relying on runtime efivars.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
For kernels v5.8 and lower, also backport mokvar table driver to surface MOK variables from the EFI config table that shim installs, instead of relying on runtime efivars.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): TODO
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
|
| 2021-09-27 14:54:14 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
For kernels v5.8 and lower, also backport mokvar table driver to surface MOK variables from the EFI config table that shim installs, instead of relying on runtime efivars.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Test Plan v5.8 and lower]
For v5.8 and lower kernels mok table driver is backported to surface moktable variables
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): TODO
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): TODO
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
|
| 2021-09-27 16:06:58 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): TODO
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
|
| 2021-10-01 15:45:35 |
Dimitri John Ledkov |
description |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html
Focal & v5.4: TODO
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
[Impact]
Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html
Focal & v5.4: https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO |
|
| 2021-10-01 15:46:01 |
Dimitri John Ledkov |
merge proposal linked |
|
https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 |
|
| 2021-10-04 10:24:35 |
Launchpad Janitor |
linux-oem-5.10 (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-10-04 10:24:35 |
Launchpad Janitor |
cve linked |
|
2021-41073 |
|
| 2021-10-04 14:46:44 |
Stefan Bader |
bug task added |
|
linux-hwe-5.8 (Ubuntu) |
|
| 2021-10-04 14:46:58 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-10-04 14:47:15 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu): status |
New |
Invalid |
|
| 2021-10-04 14:47:33 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-10-04 14:47:33 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-10-04 14:47:54 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-10-04 14:48:28 |
Stefan Bader |
linux (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-10-04 14:48:28 |
Stefan Bader |
linux (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-10-04 14:48:53 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-10-04 14:58:05 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-10-13 23:46:34 |
Kelsey Steele |
linux (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
linux-azure-5.8 (Ubuntu Focal): status |
New |
Fix Released |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2019-19449 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2020-36311 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-22543 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-3612 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-3759 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-38199 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-38207 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-40490 |
|
| 2021-11-30 16:09:49 |
Kleber Sacilotto de Souza |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
| 2021-12-01 14:37:08 |
Ubuntu Kernel Bot |
tags |
verification-done-focal verification-done-hirsute |
verification-done-focal verification-done-hirsute verification-needed-bionic |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
cve linked |
|
2018-25020 |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
cve linked |
|
2021-4002 |
|
| 2022-01-04 14:28:24 |
Launchpad Janitor |
linux (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
