[Kernel-packages] [Bug 1584195] Re: IMA-appraisal is still unusable in Ubuntu 16.04
I submitted them on April 8. I will resubmit in a couple of weeks for the next -rc period. But when it reaches linux-next is up to the keyrings maintainer (David Howells). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584195 Title: IMA-appraisal is still unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Triaged Status in linux source package in Xenial: Triaged Bug description: A recent bug (Bug #1558553) that renders IMA and trusted keyrings unusable was prematurely marked as fixed. The bug report was missing a couple of minor fixes which are attached. These patches are also submitted to LSM and keyrings mailing lists to be upstreamed. * KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage * KEYS: Print insert-sys-cert information to stout instead of stderr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584195/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584195] [NEW] IMA-appraisal is still unusable in Ubuntu 16.04
Public bug reported: A recent bug (Bug #1558553) that renders IMA and trusted keyrings unusable was prematurely marked as fixed. The bug report was missing a couple of minor fixes which are attached. These patches are also submitted to LSM and keyrings mailing lists to be upstreamed. * KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage * KEYS: Print insert-sys-cert information to stout instead of stderr ** Affects: linux (Ubuntu) Importance: Undecided Status: Incomplete ** Patch added: "KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage" https://bugs.launchpad.net/bugs/1584195/+attachment/4667148/+files/0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584195 Title: IMA-appraisal is still unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Incomplete Bug description: A recent bug (Bug #1558553) that renders IMA and trusted keyrings unusable was prematurely marked as fixed. The bug report was missing a couple of minor fixes which are attached. These patches are also submitted to LSM and keyrings mailing lists to be upstreamed. * KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage * KEYS: Print insert-sys-cert information to stout instead of stderr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584195/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1584195] Re: IMA-appraisal is still unusable in Ubuntu 16.04
** Patch added: "KEYS: Print insert-sys-cert information to stout instead of stderr" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584195/+attachment/4667149/+files/0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch ** Description changed: - A recent bug (#1558553) that renders IMA and trusted keyrings unusable - was prematurely marked as fixed. The bug report was missing a couple of - minor fixes which are attached. These patches are also submitted to LSM - and keyrings mailing lists to be upstreamed. + A recent bug (Bug #1558553) that renders IMA and trusted keyrings + unusable was prematurely marked as fixed. The bug report was missing a + couple of minor fixes which are attached. These patches are also + submitted to LSM and keyrings mailing lists to be upstreamed. * KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage * KEYS: Print insert-sys-cert information to stout instead of stderr - - Bug #1558553: - https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1584195 Title: IMA-appraisal is still unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Incomplete Bug description: A recent bug (Bug #1558553) that renders IMA and trusted keyrings unusable was prematurely marked as fixed. The bug report was missing a couple of minor fixes which are attached. These patches are also submitted to LSM and keyrings mailing lists to be upstreamed. * KEYS: Insert incompressible bytes to vmlinux to reserve space in bzImage * KEYS: Print insert-sys-cert information to stout instead of stderr To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1584195/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This trivial patch reduces the clutter from build output. ** Patch added: "0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629381/+files/0002-KEYS-Print-insert-sys-cert-information-to-stout-inst.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
This bug is not fixed yet, since the random bytes are not added to the build. The attached patch fixes it by adding the step for inserting the null key during build. ** Patch added: "0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+attachment/4629379/+files/0001-KEYS-Insert-incompressible-bytes-to-vmlinux-to-reser.patch -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1558553 Title: IMA-appraisal is unusable in Ubuntu 16.04 Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: Fix Released Bug description: At some point, the IMA keyring changed from _ima to a trusted .ima keyring. At that point, we couldn't add keys to the IMA keyring. Other distros import UEFI keys onto the system keyring. Another method of loading keys on the system keyring is needed, which doesn't require the UEFI keys or rebuilding the kernel. To resolve this problem, the kernel should be built so that certificate memory is reserved and randomized. Two patches are being upstreamed in this open window (linux-4.6): 8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling We need to include these Kconfig options to reserve the memory: CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 An additional patch, which will be upstreamed, is needed to fill the reserved memory with random data before it is compressed. (The patch is attached.) After compiling the kernel with the reserved memory, the following build step is required: scripts/insert-sys-cert -b vmlinux -c /dev/null If you want to add a cert, the following command will unpack a bzImage, install the cert (DER format) in the vmlinuz, and repack the bzImage. scripts/insert-sys-cert -s -z -c Contact Information = George Wilson/ Mimi Zohar To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp