[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-03-15 Thread Launchpad Bug Tracker
This bug was fixed in the package linux - 4.4.0-143.169

---
linux (4.4.0-143.169) xenial; urgency=medium

  * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)

  * x86/kvm: Backport fixup and missing commits (LP: #1811646)
- KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
- kvm: nVMX: VMCLEAR an active shadow VMCS after last use
- X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
  path as unlikely()
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported
- KVM: SVM: Add MSR-based feature support for serializing LFENCE
- KVM: X86: Allow userspace to define the microcode version
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts 
disabled
- KVM: VMX: fixes for vmentry_l1d_flush module parameter
- kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- kvm: vmx: Scrub hardware GPRs at VM-exit
- SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
- SAUCE: KVM: Move code fragments, cleanup and re-indent

  * linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] zfs/spl -- enhance provides information
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] Add linux-tools-host package for VM host tools
- [Packaging] signing should be conditional
- [Packaging] skip cloud tools packaging when not building package
- [Packaging] add acpidbg
- [debian] prep linux-libc-dev only if do_libc_dev_package=true
- [Packaging] Only install cloud init files when do_tools_common=true

  * Redpine: Driver crash with network-manager 1.10 and above (LP: #1813869)
- SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash

  * Guests using IBRS incur a large performance penalty (LP: #1764956)
- SAUCE: Restore the IBRS host state on VMEXIT

  * Xenial update: 4.4.170 upstream stable release (LP: #1811647)
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
- USB: serial: option: add GosunCn ZTE WeLink ME3630
- USB: serial: option: add HP lt4132
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
- USB: serial: option: add Fibocom NL668 series
- USB: serial: option: add Telit LN940 series
- mmc: core: Reset HPI enabled state during re-init and in case of errors
- mmc: omap_hsmmc: fix DMA API warning
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
- Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
- x86/mtrr: Don't copy uninitialized gentry fields back to userspace
- drm/ioctl: Fix Spectre v1 vulnerabilities
- ip6mr: Fix potential Spectre v1 vulnerability
- ipv4: Fix potential Spectre v1 vulnerability
- ax25: fix a use-after-free in ax25_fillin_cb()
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
- ieee802154: lowpan_header_create check must check daddr
- ipv6: explicitly initialize udp6_addr in udp_sock_create6()
- isdn: fix kernel-infoleak in capi_unlocked_ioctl
- netrom: fix locking in nr_find_socket()
- packet: validate address length
- packet: validate address length if 

[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-03-15 Thread Launchpad Bug Tracker
This bug was fixed in the package linux - 4.4.0-143.169

---
linux (4.4.0-143.169) xenial; urgency=medium

  * linux: 4.4.0-143.169 -proposed tracker (LP: #1814647)

  * x86/kvm: Backport fixup and missing commits (LP: #1811646)
- KVM: x86: avoid vmalloc(0) in the KVM_SET_CPUID
- kvm: nVMX: VMCLEAR an active shadow VMCS after last use
- X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
- KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR
  path as unlikely()
- kvm: x86: IA32_ARCH_CAPABILITIES is always supported
- KVM: SVM: Add MSR-based feature support for serializing LFENCE
- KVM: X86: Allow userspace to define the microcode version
- KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts 
disabled
- KVM: VMX: fixes for vmentry_l1d_flush module parameter
- kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
- kvm: vmx: Scrub hardware GPRs at VM-exit
- SAUCE: [Fix] x86/KVM/VMX: Add L1D flush logic
- SAUCE: KVM: Move code fragments, cleanup and re-indent

  * linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version

  * signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] zfs/spl -- enhance provides information
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] Add linux-tools-host package for VM host tools
- [Packaging] signing should be conditional
- [Packaging] skip cloud tools packaging when not building package
- [Packaging] add acpidbg
- [debian] prep linux-libc-dev only if do_libc_dev_package=true
- [Packaging] Only install cloud init files when do_tools_common=true

  * Redpine: Driver crash with network-manager 1.10 and above (LP: #1813869)
- SAUCE: Redpine: enhancement for MAC spoofing to avoid kernel crash

  * Guests using IBRS incur a large performance penalty (LP: #1764956)
- SAUCE: Restore the IBRS host state on VMEXIT

  * Xenial update: 4.4.170 upstream stable release (LP: #1811647)
- USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
- xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
- USB: serial: option: add GosunCn ZTE WeLink ME3630
- USB: serial: option: add HP lt4132
- USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
- USB: serial: option: add Fibocom NL668 series
- USB: serial: option: add Telit LN940 series
- mmc: core: Reset HPI enabled state during re-init and in case of errors
- mmc: omap_hsmmc: fix DMA API warning
- gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
- Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
- x86/mtrr: Don't copy uninitialized gentry fields back to userspace
- drm/ioctl: Fix Spectre v1 vulnerabilities
- ip6mr: Fix potential Spectre v1 vulnerability
- ipv4: Fix potential Spectre v1 vulnerability
- ax25: fix a use-after-free in ax25_fillin_cb()
- ibmveth: fix DMA unmap error in ibmveth_xmit_start error path
- ieee802154: lowpan_header_create check must check daddr
- ipv6: explicitly initialize udp6_addr in udp_sock_create6()
- isdn: fix kernel-infoleak in capi_unlocked_ioctl
- netrom: fix locking in nr_find_socket()
- packet: validate address length
- packet: validate address length if 

[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-03-12 Thread Launchpad Bug Tracker
This bug was fixed in the package linux - 3.13.0-166.216

---
linux (3.13.0-166.216) trusty; urgency=medium

  * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)

  * linux-buildinfo: pull out ABI information into its own package
(LP: #1806380)
- [Packaging] limit preparation to linux-libc-dev in headers
- [Packaging] commonise debhelper invocation
- [Packaging] ABI -- accumulate abi information at the end of the build
- [Packaging] buildinfo -- add basic build information
- [Packaging] buildinfo -- add firmware information to the flavour ABI
- [Packaging] buildinfo -- add compiler information to the flavour ABI
- [Packaging] buildinfo -- add buildinfo support to getabis
- [Config] buildinfo -- add retpoline version markers
- [Packaging] getabis -- handle all known package combinations
- [Packaging] getabis -- support parsing a simple version
- [Packaging] autoreconstruct -- base tag is always primary mainline version

  * signing: only install a signed kernel (LP: #1764794)
- [Debian] usbip tools packaging
- [Debian] Don't fail if a symlink already exists
- [Debian] perf -- build in the context of the full generated local headers
- [Debian] basic hook support
- [Debian] follow rename of DEB_BUILD_PROFILES
- [Debian] standardise on stage1 for the bootstrap stage in line with debian
- [Debian] set do_*_tools after stage1 or bootstrap is determined
- [Debian] initscripts need installing when making the package
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Debian] add feature interlock with mainline builds
- [Debian] Remove generated intermediate files on clean
- [Packaging] prevent linux-*-tools-common from being produced from non 
linux
  packages
- SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
- [Debian] Update to new signing key type and location
- [Packaging] autoreconstruct -- generate extend-diff-ignore for links
- [Packaging] reconstruct -- update when inserting final changes
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Packaging] printenv -- add signing options
- [Packaging] fix invocation of header postinst hooks
- [Packaging] signing -- add support for signing Opal kernel binaries
- [Debian] Use src_pkg_name when constructing udeb control files
- [Debian] Dynamically determine linux udebs package name
- [Packaging] handle both linux-lts* and linux-hwe* as backports
- [Config] linux-source-* is in the primary linux namespace
- [Packaging] lookup the upstream tag
- [Packaging] switch up to debhelper 9
- [Packaging] autopkgtest -- disable d-i when dropping flavours
- [debian] support for ship_extras_package=false
- [Debian] do_common_tools should always be on
- [debian] do not force do_tools_common
- [Packaging] skip cloud tools packaging when not building package
- [debian] prep linux-libc-dev only if do_libc_dev_package=true

  * Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

  * kernel oops in bcache module (LP: #1793901)
- SAUCE: bcache: never writeback a discard operation

  * iptables connlimit allows more connections than the limit when using
multiple CPUs (LP: #1811094)
- netfilter: connlimit: improve packet-to-closed-connection logic
- netfilter: nf_conncount: fix garbage collection confirm race
- netfilter: nf_conncount: don't skip eviction when age is negative

  * CVE-2019-6133
- fork: record start_time late

  * test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS
(LP: #1813001)
- procfs: make /proc/*/{stack, syscall, personality} 0400

 -- Kleber Sacilotto de Souza   Thu, 07 Feb
2019 11:31:21 +

** Changed in: linux (Ubuntu Trusty)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6133

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:

[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-03-06 Thread Kleber Sacilotto de Souza
Working as expected as well with the Trusty kernel:

$ dpkg -l | grep 166
ii  linux-generic   3.13.0.166.177  
amd64Complete Generic Linux kernel and headers
ii  linux-headers-3.13.0-1663.13.0-166.216  
all  Header files related to Linux kernel version 3.13.0
ii  linux-headers-3.13.0-166-generic3.13.0-166.216  
amd64Linux kernel headers for version 3.13.0 on 64 bit x86 SMP
ii  linux-headers-generic   3.13.0.166.177  
amd64Generic Linux kernel headers
ii  linux-image-3.13.0-166-generic  3.13.0-166.216  
amd64Signed kernel image generic
ii  linux-image-generic 3.13.0.166.177  
amd64Generic Linux kernel image
ii  linux-modules-3.13.0-166-generic3.13.0-166.216  
amd64Linux kernel extra modules for version 3.13.0 on 64 bit 
x86 SMP
ii  linux-modules-extra-3.13.0-166-generic  3.13.0-166.216  
amd64Linux kernel extra modules for version 3.13.0 on 64 bit 
x86 SMP


** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-03-04 Thread Kleber Sacilotto de Souza
Hi all,

The dkms build failures are not caused by the changes made for this bug
report. They were caused by some changes on get_user_pages() we pulled
from the 4.4 upstream stable (see bug 1818101 and bug 1818049).

Thank you.

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-21 Thread Doug McMahon
This update breaks the use of nvidia drivers in both 14.04 & 16.04
See https://bugs.launchpad.net/ubuntu/+source/linux-meta-lts-xenial/+bug/1816768

** Tags removed: verification-done-xenial
** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-13 Thread Jarno Suni
$ dpkg -l |grep 'linux.*-image.*'
ii  linux-image-4.4.0-140-generic   4.4.0-140.166   
  amd64Linux kernel image for 
version 4.4.0 on 64 bit x86 SMP
ii  linux-image-4.4.0-141-generic   4.4.0-141.167   
  amd64Linux kernel image for 
version 4.4.0 on 64 bit x86 SMP
ii  linux-image-4.4.0-142-generic   4.4.0-142.168   
  amd64Linux kernel image for 
version 4.4.0 on 64 bit x86 SMP
ii  linux-image-4.4.0-143-generic   4.4.0-143.169   
  amd64Signed kernel image generic
ii  linux-image-extra-4.4.0-140-generic 4.4.0-140.166   
  amd64Linux kernel extra modules 
for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-extra-4.4.0-141-generic 4.4.0-141.167   
  amd64Linux kernel extra modules 
for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-extra-4.4.0-142-generic 4.4.0-142.168   
  amd64Linux kernel extra modules 
for version 4.4.0 on 64 bit x86 SMP
ii  linux-image-generic 4.4.0.143.150   
  amd64Generic Linux kernel image
ii  linux-signed-image-4.4.0-140-generic4.4.0-140.166   
  amd64Signed kernel image generic
ii  linux-signed-image-4.4.0-141-generic4.4.0-141.167   
  amd64Signed kernel image generic
ii  linux-signed-image-4.4.0-142-generic4.4.0-142.168   
  amd64Signed kernel image generic
ii  linux-signed-image-generic  4.4.0.142.148   
  amd64Signed Generic Linux kernel 
image
jarnos@jarno-hp8510w:~/.init$ uname -r
4.4.0-143-generic


** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-13 Thread Jarno Suni
Testing this required updating several packages from xenial-proposed

In order to install them all I ran this:

sudo apt install -t=xenial-proposed linux-signed-generic linux-generic

(which is something that is not told in the previous document)

In its execution an error occurred; here is an extraction of the part of
the output:

/etc/kernel/header_postinst.d/dkms:
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.104/build/make.log for more information.
Setting up linux-headers-generic (4.4.0.143.150) ...
Setting up linux-generic (4.4.0.143.150) ...
Processing triggers for linux-image-4.4.0-143-generic (4.4.0-143.169) ...
/etc/kernel/postinst.d/dkms:
ERROR: Cannot create report: [Errno 17] File exists: 
'/var/crash/nvidia-340.0.crash'
Error! Bad return status for module build on kernel: 4.4.0-143-generic (x86_64)
Consult /var/lib/dkms/nvidia-340/340.104/build/make.log for more information.

If I would use open source driver nouveu, instead, I could test this,
but I would not be able to use HDMI IIRC. Well, I'll try.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-12 Thread Brad Figg
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag 'verification-needed-xenial' to 'verification-failed-
xenial'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-xenial

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-12 Thread Jarno Suni
Is there similar verification needed for Xenial?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-11 Thread Brad Figg
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
trusty' to 'verification-done-trusty'. If the problem still exists,
change the tag 'verification-needed-trusty' to 'verification-failed-
trusty'.

If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!


** Tags added: verification-needed-trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-05 Thread Stefan Bader
** Changed in: linux (Ubuntu Xenial)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  Fix Committed

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-02-04 Thread Stefan Bader
** Changed in: linux (Ubuntu Trusty)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Committed
Status in linux source package in Xenial:
  In Progress

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2019-01-30 Thread Andy Whitcroft
** Also affects: linux (Ubuntu Xenial)
   Importance: Undecided
   Status: New

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
   Status: New

** Changed in: linux (Ubuntu Trusty)
   Status: New => In Progress

** Changed in: linux (Ubuntu Xenial)
   Status: New => In Progress

** Changed in: linux (Ubuntu Trusty)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Xenial)
   Importance: Undecided => High

** Changed in: linux (Ubuntu)
   Importance: Undecided => High

** Changed in: linux (Ubuntu Xenial)
 Assignee: (unassigned) => Andy Whitcroft (apw)

** Changed in: linux (Ubuntu Trusty)
 Assignee: (unassigned) => Andy Whitcroft (apw)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  In Progress
Status in linux source package in Xenial:
  In Progress

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2018-07-06 Thread Jarno Suni
** Description changed:

- We should switch the default kernle install to the signed kernel.  This
+ We should switch the default kernel install to the signed kernel.  This
  makes it much harder to uninstall the signed kernel in environments
  which enforce the kernel to be signed.  Boot loaders which can
  understand and validate it want the signed image, those which do not
  should ignore the appended signature.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Released

Bug description:
  We should switch the default kernel install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp


[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2018-04-23 Thread Launchpad Bug Tracker
This bug was fixed in the package linux - 4.15.0-19.20

---
linux (4.15.0-19.20) bionic; urgency=medium

  * linux: 4.15.0-19.20 -proposed tracker (LP: #1766021)

  * Kernel 4.15.0-15 breaks Dell PowerEdge 12th Gen servers (LP: #1765232)
- Revert "blk-mq: simplify queue mapping & schedule with each possisble CPU"
- Revert "genirq/affinity: assign vectors to all possible CPUs"

linux (4.15.0-18.19) bionic; urgency=medium

  * linux: 4.15.0-18.19 -proposed tracker (LP: #1765490)

  * [regression] Ubuntu 18.04:[4.15.0-17-generic #18] KVM Guest Kernel:
meltdown: rfi/fallback displacement flush not enabled bydefault (kvm)
(LP: #1765429)
- powerpc/pseries: Fix clearing of security feature flags

  * signing: only install a signed kernel (LP: #1764794)
- [Packaging] update to Debian like control scripts
- [Packaging] switch to triggers for postinst.d postrm.d handling
- [Packaging] signing -- switch to raw-signing tarballs
- [Packaging] signing -- switch to linux-image as signed when available
- [Config] signing -- enable Opal signing for ppc64el
- [Packaging] printenv -- add signing options

  * [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
- [Packaging] signing -- add support for signing Opal kernel binaries

  * Please cherrypick s390 unwind fix (LP: #1765083)
- s390/compat: fix setup_frame32

  * Ubuntu 18.04 installer does not detect any IPR based HDD/RAID array [S822L]
[ipr] (LP: #1751813)
- d-i: move ipr to storage-core-modules on ppc64el

  * drivers/gpu/drm/bridge/adv7511/adv7511.ko missing (LP: #1764816)
- SAUCE: (no-up) rename the adv7511 drm driver to adv7511_drm

  * Miscellaneous Ubuntu changes
- [Packaging] Add linux-oem to rebuild test blacklist.

linux (4.15.0-17.18) bionic; urgency=medium

  * linux: 4.15.0-17.18 -proposed tracker (LP: #1764498)

  * Eventual OOM with profile reloads (LP: #1750594)
- SAUCE: apparmor: fix memory leak when duplicate profile load

linux (4.15.0-16.17) bionic; urgency=medium

  * linux: 4.15.0-16.17 -proposed tracker (LP: #1763785)

  * [18.04] [bug] CFL-S(CNP)/CNL GPIO testing failed (LP: #1757346)
- [Config]: Set CONFIG_PINCTRL_CANNONLAKE=y

  * [Ubuntu 18.04] USB Type-C test failed on GLK (LP: #1758797)
- SAUCE: usb: typec: ucsi: Increase command completion timeout value

  * Fix trying to "push" an already active pool VP (LP: #1763386)
- SAUCE: powerpc/xive: Fix trying to "push" an already active pool VP

  * hisi_sas: Revert and replace SAUCE patches w/ upstream (LP: #1762824)
- Revert "UBUNTU: SAUCE: scsi: hisi_sas: export device table of v3 hw to
  userspace"
- Revert "UBUNTU: SAUCE: scsi: hisi_sas: config for hip08 ES"
- scsi: hisi_sas: modify some register config for hip08
- scsi: hisi_sas: add v3 hw MODULE_DEVICE_TABLE()

  * Realtek card reader - RTS5243 [VEN_10EC_5260] (LP: #1737673)
- misc: rtsx: Move Realtek Card Reader Driver to misc
- updateconfigs for Realtek Card Reader Driver
- misc: rtsx: Add support for RTS5260
- misc: rtsx: Fix symbol clashes

  * Mellanox [mlx5] [bionic] UBSAN: Undefined behaviour in
./include/linux/net_dim.h (LP: #1763269)
- net/mlx5e: Fix int overflow

  * apparmor bug fixes for bionic (LP: #1763427)
- apparmor: fix logging of the existence test for signals
- apparmor: make signal label match work when matching stacked labels
- apparmor: audit unknown signal numbers
- apparmor: fix memory leak on buffer on error exit path
- apparmor: fix mediation of prlimit

  * dangling symlinks to loaded apparmor policy (LP: #1755563) // apparmor bug
fixes for bionic (LP: #1763427)
- apparmor: fix dangling symlinks to policy rawdata after replacement

  * [OPAL] Assert fail:
core/mem_region.c:447:lock_held_by_me(>free_list_lock)
(LP: #1762913)
- powerpc/watchdog: remove arch_trigger_cpumask_backtrace

  * [LTC Test] Ubuntu 18.04: tm_trap_test failed on P8 compat mode guest
(LP: #1762928)
- powerpc/tm: Fix endianness flip on trap

  * Add support for RT5660 codec based sound cards on Baytrail (LP: #1657674)
- SAUCE: (no-up) ASoC: Intel: Support machine driver for RT5660 on Baytrail
- SAUCE: (no-up) ASoC: rt5660: Add ACPI support
- SAUCE: (no-up): ASoC: Intel: bytcr-rt5660: Add MCLK, quirks
- [Config] CONFIG_SND_SOC_INTEL_BYTCR_RT5660_MACH=m, CONFIG_SND_SOC_RT5660=m

  * /dev/ipmi enumeration flaky on Cavium Sabre nodes (LP: #1762812)
- i2c: xlp9xx: return ENXIO on slave address NACK
- i2c: xlp9xx: Handle transactions with I2C_M_RECV_LEN properly
- i2c: xlp9xx: Check for Bus state before every transfer
- i2c: xlp9xx: Handle NACK on DATA properly

  * [18.04 FEAT] Add kvm_stat from kernel tree (LP: #1734130)
- tools/kvm_stat: simplify the sortkey function
- tools/kvm_stat: use a namedtuple for storing the values
- tools/kvm_stat: use a more pythonic way to iterate over dictionaries
- tools/kvm_stat: 

[Kernel-packages] [Bug 1764794] Re: signing: only install a signed kernel

2018-04-19 Thread Seth Forshee
** Changed in: linux (Ubuntu)
   Status: Incomplete => Fix Committed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1764794

Title:
  signing: only install a signed kernel

Status in linux package in Ubuntu:
  Fix Committed

Bug description:
  We should switch the default kernle install to the signed kernel.
  This makes it much harder to uninstall the signed kernel in
  environments which enforce the kernel to be signed.  Boot loaders
  which can understand and validate it want the signed image, those
  which do not should ignore the appended signature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1764794/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp