This bug was fixed in the package linux - 5.4.0-42.46

linux (5.4.0-42.46) focal; urgency=medium

  * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)

  * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
    - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"

linux (5.4.0-41.45) focal; urgency=medium

  * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CVE-2019-19642
    - kernel/relay.c: handle alloc_percpu returning NULL in relay_open

  * CVE-2019-16089
    - SAUCE: nbd_genl_status: null check for nla_nest_start

  * CVE-2020-11935
    - aufs: do not call i_readcount_inc()

  * in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
    kernel (LP: #1826848)
    - selftests: net: ip_defrag: ignore EPERM

  * Update lockdown patches (LP: #1884159)
    - SAUCE: acpi: disallow loading configfs acpi tables when locked down

  * seccomp_bpf fails on powerpc (LP: #1885757)
    - SAUCE: selftests/seccomp: fix ptrace tests on powerpc

  * Introduce the new NVIDIA 418-server and 440-server series, and update the
    current NVIDIA drivers (LP: #1881137)
    - [packaging] add signed modules for the 418-server and the 440-server

 -- Khalid Elmously <>  Thu, 09 Jul 2020
19:50:26 -0400

** Changed in: linux (Ubuntu Groovy)
       Status: In Progress => Fix Released

** CVE added:

** CVE added:

** CVE added:

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  Fix for secure boot rules in IMA arch policy on powerpc

Status in The Ubuntu-power-systems project:
  Fix Committed
Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Focal:
  Fix Released
Status in linux source package in Groovy:
  Fix Released

Bug description:
  SRU Justification:


  * Currently the kernel module appended signature is verified twice
  (finit_module) - once by the module_sig_check() and again by IMA.

  * To prevent this the powerpc secure boot rules define an IMA
  architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
  not enabled.

  * But this doesn't take the ability into account of enabling
  "sig_enforce" at the boot command line (module.sig_enforce=1).

  * Including the IMA module appraise rule results in failing the
  finit_module syscall, unless the module signing public key is loaded
  onto the IMA keyring.

  * This patch fixes secure boot policy rules to be based on


  * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
  Fix secure boot rules in ima arch policy"

  [Test Case]

  * Perform a secure boot on a powerpc system with
  'module.sig_enforce=1' set at the boot command.

  * If the IMA module appraise rule is included, the finit_module
  syscall will fail (unless the module signing public key got loaded
  onto the IMA keyring) without having the patch in place.

  * The verification needs to be done by the IBM Power team.

  [Regression Potential]

  * There is (always) a certain regression risk with having code
  changes, especially in the secure boot area.

  * But this patch is limited to the powerpc platform and will not
  affect any other architecture.

  * It got discussed at
    before it became finally upstream accepted with kernel 5.7-rc7.

  * The secure boot code itself wasn't really touched, rather than it's basis 
for execution.
    The IMA policy rule for module appraisal is now added only if 
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
    Hence the change is very limited and straightforward.


  * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence 
this SRU is for focal only.

  == Comment: #0 - Michael Ranweiler <> - 2020-04-22 
14:44:31 ==
  +++ This bug was initially created as a clone of Bug #184073 +++

  This bug is a follow on to LP 1866909 to address a missing piece -
  only half the following patch was included in 5.4.0-24.28.

  The upstream patch has an additional fix but it?s not critical for GA.
  It can get included as part of bug fixes. It also affects only power.
  The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
  posted to linux-integrity and linuxppc-dev mailing list

  If there are any issues identified during further testing, they will
  get opened as separate issue to be addressed later.

  Thanks & Regards,
     - Nayna

  == Comment: #4 - Michael Ranweiler <> - 2020-05-11 
02:23:35 ==
  Updated posting:

To manage notifications about this bug go to:

Mailing list:
Post to     :
Unsubscribe :
More help   :

Reply via email to