** Description changed: [ Impact ] - * Kernels have a set of builtin trusted and revoked certificates as a bundle - * It is not very easy to access them, one needs to either download linux kernel package source code; or boot the kernel look up builtin hashes; and then find certificates externally - * It would be more convenient for inspection to expose these in the buildinfo package, which already exposes auxiliary kernel information + * Kernels have a set of builtin trusted and revoked certificates as a bundle + * It is not very easy to access them, one needs to either download linux kernel package source code; or boot the kernel look up builtin hashes; and then find certificates externally + * It would be more convenient for inspection to expose these in the buildinfo package, which already exposes auxiliary kernel information [ Test Plan ] - * sudo apt install linux-buildinfo-$(uname -r) - * check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and contains livepatch cert - * check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists and contains 2012 cert + * sudo apt install linux-buildinfo-$(uname -r) + * check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and contains livepatch cert + * check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists and contains 2012 cert + + Example output: + $ grep Subject: -r usr/lib/linux + usr/lib/linux/5.19.0-24-generic/canonical-certs.pem: Subject: CN = Canonical Ltd. Live Patch Signing + usr/lib/linux/5.19.0-24-generic/canonical-certs.pem: Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing + usr/lib/linux/5.19.0-24-generic/canonical-revoked-certs.pem: Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing + [ Where problems could occur ] - * buildinfo is an auxiliary package not installed by default, but used + * buildinfo is an auxiliary package not installed by default, but used by developer tooling and packaging.
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1996892 Title: Expose built-in trusted and revoked certificates Status in linux package in Ubuntu: Incomplete Status in linux source package in Bionic: Incomplete Status in linux source package in Focal: Incomplete Status in linux source package in Jammy: Incomplete Status in linux source package in Kinetic: Incomplete Status in linux source package in Lunar: Incomplete Bug description: [ Impact ] * Kernels have a set of builtin trusted and revoked certificates as a bundle * It is not very easy to access them, one needs to either download linux kernel package source code; or boot the kernel look up builtin hashes; and then find certificates externally * It would be more convenient for inspection to expose these in the buildinfo package, which already exposes auxiliary kernel information [ Test Plan ] * sudo apt install linux-buildinfo-$(uname -r) * check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and contains livepatch cert * check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists and contains 2012 cert Example output: $ grep Subject: -r usr/lib/linux usr/lib/linux/5.19.0-24-generic/canonical-certs.pem: Subject: CN = Canonical Ltd. Live Patch Signing usr/lib/linux/5.19.0-24-generic/canonical-certs.pem: Subject: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel Module Signing usr/lib/linux/5.19.0-24-generic/canonical-revoked-certs.pem: Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing [ Where problems could occur ] * buildinfo is an auxiliary package not installed by default, but used by developer tooling and packaging. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
