This bug was fixed in the package linux - 5.13.0-14.14

---------------
linux (5.13.0-14.14) impish; urgency=medium

  * impish/linux: 5.13.0-14.14 -proposed tracker (LP: #1938565)

  * Miscellaneous Ubuntu changes
    - SAUCE: Revert "UBUNTU: SAUCE: random: Make getrandom() ready earlier"
    - SAUCE: random: properly make getrandom() ready earlier

  * Miscellaneous upstream changes
    - seq_buf: Fix overflow in seq_buf_putmem_hex()
    - bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc
    - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a
      transaction handle
    - ext4: fix kernel infoleak via ext4_extent_header
    - ext4: fix overflow in ext4_iomap_alloc()
    - ext4: return error code when ext4_fill_flex_info() fails
    - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
    - ext4: remove check for zero nr_to_scan in ext4_es_scan()
    - ext4: fix avefreec in find_group_orlov
    - ext4: use ext4_grp_locked_error in mb_find_extent

 -- Andrea Righi <andrea.ri...@canonical.com>  Mon, 02 Aug 2021 14:23:08
+0200

** Changed in: linux (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  New
Status in linux source package in Bionic:
  New
Status in linux source package in Focal:
  New
Status in linux source package in Hirsute:
  Fix Committed

Bug description:
  [Impact]

   * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx)
  which revokes many Ubuntu kernel hashes and 2012 signing key.

   * Kernel should import those into it's %:.blacklist keyring such that
  it prohibits signed kexec of the revoked kernels.

   * v5.13-rc1 kernel has learned how to import mokx and how to import
  full certs into the %:.blacklist keyring.

   * However, it only does so by reading MokListXRT efi variable.

   * Due to the large size of Ubuntu's vendor-dbx, shim does not create
  MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2
  MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also
  exposes MokListXRT via mokvar table, which is easier to parse and
  contains all the revocations in full. Kernel needs a patch to read
  MokListXRT via mokvar table.

   * We have two options on how to proceed from here, either we include
  the same hashes and certs as our vendordbx in in the kernel as
  revocation list, or we fix kernel to read MokListXRT via mokvar table

   * The above is known as CVE-2020-26541

   * Separately it would be nice to add informational dmesg messages
  when revoking signing certificates, as a good indication that signing
  key rotation events have happened and have been applied correctly.

  [Test Plan]

   * Boot kernel with 15.4 based Ubuntu shim

   * Install keyutils package

   * Execute $ sudo keyctl list %:.blacklist it should list in exccess
  of 300+ hash entries. It also must list assymetric Canonical signing
  key from 2012.

   * Separately check dmesg to observe that asymmetric canonical signing
  key from 2012 is revoked.

  [Where problems could occur]

   * EFI variable storage can be full thus preventing shim to mirror
  efivars and the moktable. On decent hardware this should not happen,
  but has been observed to be corrupted on some older EDKII based OVMF
  instances with small EFI variable storage space (pre-4MB).

  [Other Info]
   
   * The patches to fix the above have been submitted upstream

  
https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/

  
https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/

  This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE
  kernel, until accepted upstream.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to