This bug was fixed in the package linux - 5.4.0-42.46
---------------
linux (5.4.0-42.46) focal; urgency=medium
* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.4.0-41.45) focal; urgency=medium
* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)
* Packaging resync (LP: #1786013)
- update dkms package versions
* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open
* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start
* CVE-2020-11935
- aufs: do not call i_readcount_inc()
* ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
kernel (LP: #1826848)
- selftests: net: ip_defrag: ignore EPERM
* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* Introduce the new NVIDIA 418-server and 440-server series, and update the
current NVIDIA drivers (LP: #1881137)
- [packaging] add signed modules for the 418-server and the 440-server
flavours
-- Khalid Elmously <[email protected]> Thu, 09 Jul 2020
19:50:26 -0400
** Changed in: linux (Ubuntu Groovy)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16089
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19642
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11935
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Groovy:
Fix Released
Bug description:
SRU Justification:
==================
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/[email protected]
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__________
== Comment: #0 - Michael Ranweiler <[email protected]> - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
[email protected]/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler <[email protected]> - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
[email protected]/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
