Public bug reported: [ Impact ]
* Recent kernels expose built-in trusted and revoked certificates. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892 * When kernels expose such information, it is prudent to check if the freshly signed EFI binaries are actually revoked. And fail the build in such cases. * This ensures that a given signed kernel, can perform verified kexec for quick-reboot or for kdump purposes. * This also helps with key rotations, in case kernel is routed to be signed with the wrong key due to miss-configuration of the build. [ Test Plan ] * Add test-build PPA certificate as revoked * Perform a test-build crank of linux & linux-signed, in test-build PPA * linux-signed should FTBFS in test-build PPA * Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly [ Where problems could occur ] * Each individual linux-signed package needs to add a build-dep on all buildinfo packages of all EFI signed flavours on EFI signed arches * The verification is done on EFI signed binaries only for now. OPAL & SIPL signing checks might be implemented in the future ** Affects: linux-signed (Ubuntu) Importance: Undecided Status: Confirmed ** Changed in: linux-signed (Ubuntu) Status: New => Confirmed ** Description changed: [ Impact ] - * Recent kernels expose built-in trusted and revoked certificates. See + * Recent kernels expose built-in trusted and revoked certificates. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892 - * When kernels expose such information, it is prudent to check if the + * When kernels expose such information, it is prudent to check if the freshly signed EFI binaries are actually revoked. And fail the build in such cases. - * This ensures that a given signed kernel, can perform verified kexec + * This ensures that a given signed kernel, can perform verified kexec for quick-reboot or for kdump purposes. - * This also helps with key rotations, in case kernel is routed to be + * This also helps with key rotations, in case kernel is routed to be signed with the wrong key due to miss-configuration of the build. [ Test Plan ] - * Add test-build PPA certificate as revoked - * Perform a test-build crank of linux & linux-signed, in test-build PPA - * linux-signed should FTBFS in test-build PPA - * Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly + * Add test-build PPA certificate as revoked + * Perform a test-build crank of linux & linux-signed, in test-build PPA + * linux-signed should FTBFS in test-build PPA + * Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly [ Where problems could occur ] - * Each individual linux-signed package needs to add a build-dep on all + * Each individual linux-signed package needs to add a build-dep on all buildinfo packages of all EFI signed flavours on EFI signed arches + + * The verification is done on EFI signed binaries only for now. OPAL & + SIPL signing checks might be implemented in the future ** Summary changed: - Fail the build if EFI binaries are signed with revoked keys + Check if EFI signatures are revoked at build ** Summary changed: - Check if EFI signatures are revoked at build + Check if EFI signatures are revoked at build time -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-signed in Ubuntu. https://bugs.launchpad.net/bugs/1996955 Title: Check if EFI signatures are revoked at build time Status in linux-signed package in Ubuntu: Confirmed Bug description: [ Impact ] * Recent kernels expose built-in trusted and revoked certificates. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892 * When kernels expose such information, it is prudent to check if the freshly signed EFI binaries are actually revoked. And fail the build in such cases. * This ensures that a given signed kernel, can perform verified kexec for quick-reboot or for kdump purposes. * This also helps with key rotations, in case kernel is routed to be signed with the wrong key due to miss-configuration of the build. [ Test Plan ] * Add test-build PPA certificate as revoked * Perform a test-build crank of linux & linux-signed, in test-build PPA * linux-signed should FTBFS in test-build PPA * Copy linux and linux-signed with binaries to a personal PPA, linux-signed should complete the build correctly [ Where problems could occur ] * Each individual linux-signed package needs to add a build-dep on all buildinfo packages of all EFI signed flavours on EFI signed arches * The verification is done on EFI signed binaries only for now. OPAL & SIPL signing checks might be implemented in the future To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed/+bug/1996955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
