SecureBoot support for arm64

Bug #1804481 reported by dann frazier on 2018-11-21
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
dann frazier
Bionic
Undecided
dann frazier
Cosmic
Undecided
dann frazier
Disco
Undecided
dann frazier
linux-meta (Ubuntu)
Undecided
dann frazier
Bionic
Undecided
dann frazier
Cosmic
Undecided
dann frazier
Disco
Undecided
dann frazier
linux-signed (Ubuntu)
Undecided
dann frazier
Bionic
Undecided
dann frazier
Cosmic
Undecided
dann frazier
Disco
Undecided
dann frazier
linux-signed-hwe (Ubuntu)
Undecided
Unassigned
Bionic
Critical
Unassigned
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned
linux-signed-hwe-edge (Ubuntu)
Undecided
Unassigned
Bionic
Critical
dann frazier
Cosmic
Undecided
Unassigned
Disco
Undecided
Unassigned
shim (Ubuntu)
Undecided
dann frazier
Bionic
Undecided
dann frazier
Cosmic
Undecided
dann frazier
Disco
Undecided
dann frazier
shim-signed (Ubuntu)
Undecided
dann frazier
Bionic
Undecided
dann frazier
Cosmic
Undecided
dann frazier
Disco
Undecided
dann frazier

Bug Description

[Impact]
Ubuntu does not currently support SecureBoot for UEFI systems on arm64 platforms.

[Test Case]
See: https://wiki.ubuntu.com/UEFI/SecureBoot/Testing

[Fix]
- Introduce shim-signed for arm64
- Introduce grub-signed for arm64
- Produce signed linux kernels

[Regression Risk]
We're enabling new signed packages - regressions would most likely fall into packaging issues.

CVE References

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1804481

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
dann frazier (dannf) on 2018-11-21
Changed in shim (Ubuntu Disco):
status: New → Fix Released
Changed in shim-signed (Ubuntu Disco):
status: New → Fix Released
Changed in shim (Ubuntu Cosmic):
status: New → Fix Released
Changed in shim (Ubuntu Bionic):
status: New → Fix Released
Changed in linux (Ubuntu Disco):
status: Incomplete → In Progress
assignee: nobody → dann frazier (dannf)
Changed in linux (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux (Ubuntu Cosmic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux-meta (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux-meta (Ubuntu Cosmic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux-meta (Ubuntu Disco):
assignee: nobody → dann frazier (dannf)
status: New → In Progress
Changed in linux-signed (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux-signed (Ubuntu Cosmic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in linux-signed (Ubuntu Disco):
assignee: nobody → dann frazier (dannf)
status: New → In Progress
Changed in shim-signed (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in shim-signed (Ubuntu Cosmic):
assignee: nobody → dann frazier (dannf)
status: New → Triaged
Changed in shim-signed (Ubuntu Disco):
assignee: nobody → dann frazier (dannf)
Changed in shim (Ubuntu Bionic):
assignee: nobody → dann frazier (dannf)
dann frazier (dannf) on 2018-11-21
Changed in shim (Ubuntu Cosmic):
assignee: nobody → dann frazier (dannf)
Changed in shim (Ubuntu Disco):
assignee: nobody → dann frazier (dannf)
Seth Forshee (sforshee) on 2019-01-31
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux-signed (Ubuntu Disco):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 4.19.0-12.13

---------------
linux-signed (4.19.0-12.13) disco; urgency=medium

  * Master version: 4.19.0-12.13

 -- Seth Forshee <email address hidden> Mon, 28 Jan 2019 15:40:56 -0600

Changed in linux-signed (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (14.1 KiB)

This bug was fixed in the package linux - 4.19.0-12.13

---------------
linux (4.19.0-12.13) disco; urgency=medium

  * linux: 4.19.0-12.13 -proposed tracker (LP: #1813664)

  * kernel oops in bcache module (LP: #1793901)
    - SAUCE: bcache: never writeback a discard operation

  * Disco update: 4.19.18 upstream stable release (LP: #1813611)
    - ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address
    - mlxsw: spectrum: Disable lag port TX before removing it
    - mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion
    - net: dsa: mv88x6xxx: mv88e6390 errata
    - net, skbuff: do not prefer skb allocation fails early
    - qmi_wwan: add MTU default to qmap network interface
    - ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
    - net: clear skb->tstamp in bridge forwarding path
    - netfilter: ipset: Allow matching on destination MAC address for mac and
      ipmac sets
    - gpio: pl061: Move irq_chip definition inside struct pl061
    - drm/amd/display: Guard against null stream_state in set_crc_source
    - drm/amdkfd: fix interrupt spin lock
    - ixgbe: allow IPsec Tx offload in VEPA mode
    - platform/x86: asus-wmi: Tell the EC the OS will handle the display off
      hotkey
    - e1000e: allow non-monotonic SYSTIM readings
    - usb: typec: tcpm: Do not disconnect link for self powered devices
    - selftests/bpf: enable (uncomment) all tests in test_libbpf.sh
    - of: overlay: add missing of_node_put() after add new node to changeset
    - writeback: don't decrement wb->refcnt if !wb->bdi
    - serial: set suppress_bind_attrs flag only if builtin
    - bpf: Allow narrow loads with offset > 0
    - ALSA: oxfw: add support for APOGEE duet FireWire
    - x86/mce: Fix -Wmissing-prototypes warnings
    - MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur
    - crypto: ecc - regularize scalar for scalar multiplication
    - arm64: perf: set suppress_bind_attrs flag to true
    - drm/atomic-helper: Complete fake_commit->flip_done potentially earlier
    - clk: meson: meson8b: fix incorrect divider mapping in cpu_scale_table
    - samples: bpf: fix: error handling regarding kprobe_events
    - usb: gadget: udc: renesas_usb3: add a safety connection way for
      forced_b_device
    - fpga: altera-cvp: fix probing for multiple FPGAs on the bus
    - selinux: always allow mounting submounts
    - ASoC: pcm3168a: Don't disable pcm3168a when CONFIG_PM defined
    - scsi: qedi: Check for session online before getting iSCSI TLV data.
    - drm/amdgpu: Reorder uvd ring init before uvd resume
    - rxe: IB_WR_REG_MR does not capture MR's iova field
    - efi/libstub: Disable some warnings for x86{,_64}
    - jffs2: Fix use of uninitialized delayed_work, lockdep breakage
    - clk: imx: make mux parent strings const
    - pstore/ram: Do not treat empty buffers as valid
    - media: uvcvideo: Refactor teardown of uvc on USB disconnect
    - powerpc/xmon: Fix invocation inside lock region
    - powerpc/pseries/cpuidle: Fix preempt warning
    - media: firewire: Fix app_info parameter type in avc_ca{,_app}_info
    - ASoC: use dma_ops of parent device for acp_audio_dma
    - media: ve...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
dann frazier (dannf) wrote :

These changes were committed after 4.19.0-12.13

Changed in linux-signed (Ubuntu Disco):
status: Fix Released → Fix Committed
Changed in linux (Ubuntu Disco):
status: Fix Released → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed - 4.19.0-13.14

---------------
linux-signed (4.19.0-13.14) disco; urgency=medium

  * Master version: 4.19.0-13.14

  * SecureBoot support for arm64 (LP: #1804481)
    - support recompression of signed kernels
    - Add support for arm64

  * Miscellaneous Ubuntu changes
    - [Packaging] download-signed -- fix downloader component and handle versions
      correctly
    - Add missing dbgsym package for snapdragon.

 -- Seth Forshee <email address hidden> Thu, 07 Feb 2019 15:34:50 -0600

Changed in linux-signed (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (12.4 KiB)

This bug was fixed in the package linux - 4.19.0-13.14

---------------
linux (4.19.0-13.14) disco; urgency=medium

  * linux: 4.19.0-13.14 -proposed tracker (LP: #1815103)

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] autoreconstruct -- base tag is always primary mainline version

  * [Packaging] Allow overlay of config annotations (LP: #1752072)
    - [Packaging] config-check: Add an include directive

  * Disco update: 4.19.20 upstream stable release (LP: #1815090)
    - Fix "net: ipv4: do not handle duplicate fragments as overlapping"
    - drm/msm/gpu: fix building without debugfs
    - ipv6: Consider sk_bound_dev_if when binding a socket to an address
    - ipv6: sr: clear IP6CB(skb) on SRH ip4ip6 encapsulation
    - ipvlan, l3mdev: fix broken l3s mode wrt local routes
    - l2tp: copy 4 more bytes to linear part if necessary
    - l2tp: fix reading optional fields of L2TPv3
    - net: ip_gre: always reports o_key to userspace
    - net: ip_gre: use erspan key field for tunnel lookup
    - net/mlx4_core: Add masking for a few queries on HCA caps
    - netrom: switch to sock timer API
    - net/rose: fix NULL ax25_cb kernel panic
    - net: set default network namespace in init_dummy_netdev()
    - ravb: expand rx descriptor data to accommodate hw checksum
    - sctp: improve the events for sctp stream reset
    - tun: move the call to tun_set_real_num_queues
    - ucc_geth: Reset BQL queue when stopping device
    - net: ip6_gre: always reports o_key to userspace
    - sctp: improve the events for sctp stream adding
    - net/mlx5e: Allow MAC invalidation while spoofchk is ON
    - ip6mr: Fix notifiers call on mroute_clean_tables()
    - Revert "net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager"
    - sctp: set chunk transport correctly when it's a new asoc
    - sctp: set flow sport from saddr only when it's 0
    - virtio_net: Don't enable NAPI when interface is down
    - virtio_net: Don't call free_old_xmit_skbs for xdp_frames
    - virtio_net: Fix not restoring real_num_rx_queues
    - virtio_net: Fix out of bounds access of sq
    - virtio_net: Don't process redirected XDP frames when XDP is disabled
    - virtio_net: Use xdp_return_frame to free xdp_frames on destroying vqs
    - virtio_net: Differentiate sk_buff and xdp_frame on freeing
    - CIFS: Do not count -ENODATA as failure for query directory
    - CIFS: Fix trace command logging for SMB2 reads and writes
    - CIFS: Do not consider -ENODATA as stat failure for reads
    - fs/dcache: Fix incorrect nr_dentry_unused accounting in shrink_dcache_sb()
    - iommu/vt-d: Fix memory leak in intel_iommu_put_resv_regions()
    - selftests/seccomp: Enhance per-arch ptrace syscall skip tests
    - NFS: Fix up return value on fatal errors in nfs_page_async_flush()
    - ARM: cns3xxx: Fix writing to wrong PCI config registers after alignment
    - arm64: kaslr: ensure randomized quantities are clean also when kaslr is off
    - arm64: Do not issue IPIs for user executable ptes
    - arm64: hyp-stub: Forbid kprobing of the hyp-stub
    - arm64: hibernate: Clean the __hyp_text to PoC after resume
    - gpio: altera...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
dann frazier (dannf) on 2019-05-09
Changed in linux-signed-hwe-edge (Ubuntu Cosmic):
status: New → Invalid
Changed in linux-signed-hwe-edge (Ubuntu Disco):
status: New → Invalid
Changed in linux-signed-hwe-edge (Ubuntu Bionic):
status: New → In Progress
dann frazier (dannf) wrote :

Marking critical, as this prevents X-Gene/uboot systems from booting

Changed in linux-signed-hwe-edge (Ubuntu Bionic):
importance: Undecided → Critical
assignee: nobody → dann frazier (dannf)
Stefan Bader (smb) on 2019-05-14
Changed in linux-signed-hwe-edge (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux-signed-hwe (Ubuntu Cosmic):
status: New → Invalid
Changed in linux-signed-hwe (Ubuntu Disco):
status: New → Invalid
Changed in linux-signed-hwe (Ubuntu):
status: New → Invalid
Changed in linux-signed-hwe (Ubuntu Bionic):
importance: Undecided → Critical
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-hwe-edge - 5.0.0-15.16~18.04.1+signed1

---------------
linux-signed-hwe-edge (5.0.0-15.16~18.04.1+signed1) bionic; urgency=medium

  * SecureBoot support for arm64 (LP: #1804481)
    - support recompression of signed kernels

 -- Stefan Bader <email address hidden> Tue, 14 May 2019 13:49:08 +0200

Changed in linux-signed-hwe-edge (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-signed-hwe - 4.18.0-21.22~18.04.1

---------------
linux-signed-hwe (4.18.0-21.22~18.04.1) bionic; urgency=medium

  * Master version: 4.18.0-21.22~18.04.1

  * Built-Using incorrect (LP: #1824016)
    - Rename "VERSION" template string to more precise "UNSIGNED_SRC_VERSION"
    - Use the correct source package name in Built-Using field

linux-signed-hwe (4.18.0-20.21~18.04.1+signed1) bionic; urgency=medium

  * SecureBoot support for arm64 (LP: #1804481)
    - support recompression of signed kernels

 -- Stefan Bader <email address hidden> Thu, 16 May 2019 16:52:10 +0200

Changed in linux-signed-hwe (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers