Re: [arm64] secure boot breach via VFIO_NOIOMMU

2023-12-14 Thread Salvatore Bonaccorso
Hi, On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: > Hi > > Over six years ago, support for VFIO without IOMMU was enabled for > arm64. This is a breach of the integrity lockdown requirement of secure > boot. > > VFIO is a framework for handle devices in userspace. To make > th

Re: How to revoke Debian kernels for secure boot

2023-12-14 Thread Julian Andres Klode
On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote: > At the moment the best options are: > > - rotate online signing key > - build new shim with old signing key in vendorx (revoked ESL) > - build new kernels with old signing key built-in revoked keyring > > This is to ensure tha

Bug#1056056: linux-image-6.1.0-13-amd64: After a 'warm' reboot the disk is missing (not detected by the bios) on a HP t640

2023-12-14 Thread Ben Mesman | Spark Narrowcasting
The attached patch works on my systems. Is there a way to get this in? --- arch/x86/kernel/reboot.c.orig 2023-12-14 08:25:10.033382061 +0100 +++ arch/x86/kernel/reboot.c 2023-12-14 08:31:10.394325941 +0100 @@ -469,6 +469,14 @@ DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq"), }, }, + { /* Handle p

Bug#1057967: fixed in linux 6.1.67-1

2023-12-14 Thread Stephan Verbücheln
Hereby I confirm that linux-image-6.1.0-16-amd64 (6.1.67-1) from bookworm-proposed-updates fixed the problems for me. Regards Stephan signature.asc Description: This is a digitally signed message part

Bug#1056056: linux-image-6.1.0-13-amd64: After a 'warm' reboot the disk is missing (not detected by the bios) on a HP t640

2023-12-14 Thread Salvatore Bonaccorso
Hi Ben, On Thu, Dec 14, 2023 at 09:16:48AM +, Ben Mesman | Spark Narrowcasting wrote: > The attached patch works on my systems. Is there a way to get this in? > --- arch/x86/kernel/reboot.c.orig 2023-12-14 08:25:10.033382061 +0100 > +++ arch/x86/kernel/reboot.c 2023-12-14 08:31:10.39432

Bug#1052304: Debian 6.1 Kernels suspect

2023-12-14 Thread Bill MacAllister
On 2023-12-09 09:49, Bill MacAllister wrote: On 2023-12-08 15:59, Diederik de Haas wrote: On Saturday, 9 December 2023 00:28:50 CET Jeffrey Altman wrote: The bug is considered valid by upstream. A proposed fix for this issue is being reviewed. http://lists.infradead.org/pipermail/linux-afs/20

Bug#1057967: linux-image-6.1.0-15-amd64: Fixed in 6.1.67-1

2023-12-14 Thread reporter
I can confirm that this issue is fixed in my Macbook Pro after upgrading to 6.1.67-1 from bookworm-proposed-updates. --- $ apt-cache policy linux-image-amd64 linux-image-amd64: Installed: 6.1.67-1 Candidate: 6.1.67-1 Version table: *** 6.1.67-1 500 500 http://ht

Re: [arm64] secure boot breach via VFIO_NOIOMMU

2023-12-14 Thread Steve McIntyre
On Thu, Dec 14, 2023 at 09:26:09AM +0100, Salvatore Bonaccorso wrote: >Hi, > >On Wed, Dec 13, 2023 at 10:45:01PM +0100, Bastian Blank wrote: >> Hi >> >> Over six years ago, support for VFIO without IOMMU was enabled for >> arm64. This is a breach of the integrity lockdown requirement of secure >>

Re: How to revoke Debian kernels for secure boot

2023-12-14 Thread Steve McIntyre
Hey all, On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote: >At the moment the best options are: > >- rotate online signing key >- build new shim with old signing key in vendorx (revoked ESL) >- build new kernels with old signing key built-in revoked keyring > >This is to ensure

Re: How to revoke Debian kernels for secure boot

2023-12-14 Thread Bastian Blank
On Thu, Dec 14, 2023 at 03:09:51PM +, Steve McIntyre wrote: > On Wed, Dec 13, 2023 at 10:18:40PM +, Dimitri John Ledkov wrote: > >There is no sbat for kernels yet (and/or nobody has yet started to use sbat > >for > >kernels). > It's a difficult thing to do, especially in light of significa

Re: How to revoke Debian kernels for secure boot

2023-12-14 Thread Bastian Blank
On Thu, Dec 14, 2023 at 09:31:11PM +0100, Bastian Blank wrote: > On Thu, Dec 14, 2023 at 03:09:51PM +, Steve McIntyre wrote: > > It's a difficult thing to do, especially in light of significant > > pushback from upstream developers. Okay, I finally managed to read most of that thread. And it

Bug#1052304: Debian 6.1 Kernels suspect

2023-12-14 Thread Bill MacAllister
On 2023-12-14 01:54, Bill MacAllister wrote: This took me longer that I wanted, but I have built kernels the following kernels with the patch: linux-image-6.1.0-15-amd64-dbg_6.1.66-2~afs1_amd64.deb linux-image-6.1.0-15-amd64-unsigned_6.1.66-2~afs1_amd64.deb linux-image-6.1.0-15-cloud-amd64-dbg