Ubuntu
linux package

enable config for fixing 5.17 kernel won't load mok

  1. Kinetic (22.10)
  2. Bug #1972802
Bug #1972802 reported by Ivan Hu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Fix Released
Critical
Yuan-Chen Cheng
linux (Ubuntu)
Fix Released
Undecided
Ivan Hu
Jammy
Invalid
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Ivan Hu
linux-oem-5.17 (Ubuntu)
Invalid
Undecided
Unassigned
Jammy
Fix Released
Undecided
Ivan Hu
Kinetic
Invalid
Undecided
Unassigned

Bug Description

[Impact]
Mok keys is not trusted after kernel 5.17

[Fix]
Enable the CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT and CONFIG_IMA_ARCH_POLICY for fixing the patch
"[patch] integrity: Do not load MOK and MOKx when secure boot be disabled" was added to check if secureboot enabled for trusting the MOK key

[Test]
Enroll Mok key and use it to sign kernel modules, make sure secure boot is on and load the kernel module by either modprobe or insmod.

[Where problems could occur]
Low. only affect the checking secureboot enable function.

See original description

CVE References

Yuan-Chen Cheng (ycheng-twn)
tags: added: oem-priority
Ivan Hu (ivan.hu)
information type: Proprietary → Public
AceLan Kao (acelankao)
Changed in linux (Ubuntu Jammy):
status: New → Invalid
Changed in linux-oem-5.17 (Ubuntu Kinetic):
status: New → Invalid
Changed in linux (Ubuntu Kinetic):
status: New → In Progress
Changed in linux-oem-5.17 (Ubuntu Jammy):
status: New → In Progress
Changed in linux (Ubuntu Kinetic):
assignee: nobody → Ivan Hu (ivan.hu)
Changed in linux-oem-5.17 (Ubuntu Jammy):
assignee: nobody → Ivan Hu (ivan.hu)
Ivan Hu (ivan.hu)
description: updated
Yuan-Chen Cheng (ycheng-twn)
tags: added: originate-from-1969557 somerville
Changed in oem-priority:
importance: Undecided → Critical
status: New → Triaged
Timo Aaltonen (tjaalton)
Changed in linux-oem-5.17 (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

install 5.17-oem 1005 kernel from jammy-proposed, it's not fixed yet.

# grep CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT /boot/config-5.1*
/boot/config-5.17.0-1004-oem:# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
/boot/config-5.17.0-1005-oem:# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set

# grep CONFIG_IMA_ARCH_POLICY /boot/config-5.1*
/boot/config-5.17.0-1004-oem:# CONFIG_IMA_ARCH_POLICY is not set
/boot/config-5.17.0-1005-oem:# CONFIG_IMA_ARCH_POLICY is not set

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

5.17-oem-1007 kernel have the fix, wait it's landing and then do verification.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

bug verified passed with linux-oem-22.04 5.17.0.1009.9 in jammy-proposed

Changed in oem-priority:
status: Triaged → Fix Committed
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
Timo Aaltonen (tjaalton)
tags: added: verification-done-jammy
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-oem-5.17 - 5.17.0-1011.12

---------------
linux-oem-5.17 (5.17.0-1011.12) jammy; urgency=medium

  * CVE-2022-1972
    - netfilter: nf_tables: sanitize nft_set_desc_concat_parse()

  * CVE-2022-1966
    - netfilter: nf_tables: disallow non-stateful expression in sets earlier

 -- Thadeu Lima de Souza Cascardo <email address hidden> Fri, 03 Jun 2022 14:17:23 -0300

Changed in linux-oem-5.17 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.19.0-15.15

---------------
linux (5.19.0-15.15) kinetic; urgency=medium

  * kinetic/linux: 5.19.0-15.15 -proposed tracker (LP: #1983335)

  * Miscellaneous Ubuntu changes
    - [Config] update annotations to support both gcc-11 and gcc-12

 -- Andrea Righi <email address hidden> Tue, 02 Aug 2022 09:23:01 +0200

Changed in linux (Ubuntu Kinetic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.