[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: ubuntu-power-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Groovy:
Fix Released
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug was fixed in the package linux - 5.4.0-42.46
---
linux (5.4.0-42.46) focal; urgency=medium
* focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.4.0-41.45) focal; urgency=medium
* focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855)
* Packaging resync (LP: #1786013)
- update dkms package versions
* CVE-2019-19642
- kernel/relay.c: handle alloc_percpu returning NULL in relay_open
* CVE-2019-16089
- SAUCE: nbd_genl_status: null check for nla_nest_start
* CVE-2020-11935
- aufs: do not call i_readcount_inc()
* ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4
kernel (LP: #1826848)
- selftests: net: ip_defrag: ignore EPERM
* Update lockdown patches (LP: #1884159)
- SAUCE: acpi: disallow loading configfs acpi tables when locked down
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* Introduce the new NVIDIA 418-server and 440-server series, and update the
current NVIDIA drivers (LP: #1881137)
- [packaging] add signed modules for the 418-server and the 440-server
flavours
-- Khalid Elmously Thu, 09 Jul 2020
19:50:26 -0400
** Changed in: linux (Ubuntu Groovy)
Status: In Progress => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16089
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19642
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11935
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Groovy:
Fix Released
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug was fixed in the package linux - 5.4.0-40.44 --- linux (5.4.0-40.44) focal; urgency=medium * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120) - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and -tools-host * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691) - e1000e: Disable TSO for buffer overrun workaround * CVE-2020-0543 - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when not supported * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147) - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before association for 11N chip" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being connected" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support" - rtw88: add a debugfs entry to dump coex's info - rtw88: add a debugfs entry to enable/disable coex mechanism - rtw88: 8723d: Add coex support - SAUCE: rtw88: coex: 8723d: set antanna control owner - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier * CPU stress test fails with focal kernel (LP: #1867900) - [Config] Disable hisi_sec2 temporarily * Enforce all config annotations (LP: #1879327) - [Config]: do not enforce CONFIG_VERSION_SIGNATURE - [Config]: prepare to enforce all - [Config]: enforce all config options * Focal update: v5.4.44 upstream stable release (LP: #1881927) - ax25: fix setsockopt(SO_BINDTODEVICE) - dpaa_eth: fix usage as DSA master, try 3 - net: don't return invalid table id error when we fall back to PF_UNSPEC - net: dsa: mt7530: fix roaming from DSA user ports - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend - __netif_receive_skb_core: pass skb by reference - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* - net: ipip: fix wrong address family in init error path - net/mlx5: Add command entry handling completion - net: mvpp2: fix RX hashing for non-10G ports - net: nlmsg_cancel() if put fails for nhmsg - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() - net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" - net sched: fix reporting the first-time use timestamp - net/tls: fix race condition causing kernel panic - nexthop: Fix attribute checking for groups - r8152: support additional Microsoft Surface Ethernet Adapter variant - sctp: Don't add the shutdown timer if its already been added - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed - tipc: block BH before using dst_cache - net/mlx5e: kTLS, Destroy key object after destroying the TIS - net/mlx5e: Fix inner tirs handling - net/mlx5: Fix memory leak in mlx5_events_init - net/mlx5e: Update netdev txq on completions during closure - net/mlx5: Fix error flow in case of function_setup failure - net/mlx5: Annotate mutex destroy for root ns - net/tls: fix encryption error checking - net/tls: free record only on encryption error - net: sun: fix missing release regions in cas_init_one(). - net/mlx4_core: fix a memory leak bug. - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails - ARM: dts: rockchip: fix phy nodename for rk3228-evb - ARM: dts: rockchip: fix phy nodename for rk3229-xms6 - arm64: dts: rockchip: fix status for in rk3328-evb.dts - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node - ARM: dts: rockchip: swap clock-names of gpu nodes - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi - gpio: tegra: mask GPIO IRQs during IRQ shutdown - ALSA: usb-audio: add mapping for ASRock TRX40 Creator - net: microchip: encx24j600: add missed kthread_stop - gfs2: move privileged user check to gfs2_quota_lock_check - gfs2: Grab glock reference sooner in gfs2_add_revoke - drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate - drm/amd/powerplay: perform PG ungate prior to CG ungate - drm/amdgpu: Use GEM obj reference for KFD BOs - cachefiles: Fix race between read_waiter and read_copier involving op->to_do - usb: dwc3: pci: Enable extcon driver for Intel Merrifield - usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' - usb: gadget: legacy: fix redundant initialization warnings - net: freescale: select CONFIG_FIXED_PHY where needed - IB/i40iw: Remove bogus
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Great, many thx for the verification!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
--- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT--- Thanks !! This is exactly what I needed. I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both. It works fine and here are the test results: 1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled. 2. With trusted boot disabled, here is the IMA rules: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist 2. With both secure and trusted boot enabled, here how the IMA rules looks like: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy [sudo] password for ubuntu: measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent. ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" Thanks & Regards, - Nayna ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
So in general the key should be part of the firmware, in case of a standard IBM
Power system, that is shipped to customers with secureboot support,
A kernel from proposed is part of the official Ubuntu archive and with that
signed with the standard production key. But that might be different in case a
development system is in use or so ...
Anyway, the key can also be found at the Ubuntu archive pages:
here:
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz
or the link for proposed:
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/
http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/current/signed.tar.gz
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Hi,
Each signed object is published on in the repository under
/$suite/main/signed/$src-$arch. I.e. the linux in focal proposed signed
artefacts can be found at:
http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/
I.e. http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-
ppc64el/5.4.0-38.42/signed.tar.gz
inside that tarball, there should be $version/control/opal.x509 public
certificate that is used for signing.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Hi, since 'proposed' belongs to the official archives
(archive.ubuntu.com/ubuntu) and packages from proposed are just located in a
special area there (we call it the proposed 'pocket'), kernels and other
packages from there that are signed, are signed with the standard and common
key.
Only a signed kernel that comes from a non-standard archive (like a PPA) is
signed with a different key, hence requires and additional key file.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
focal' to 'verification-done-focal'. If the problem still exists, change
the tag 'verification-needed-focal' to 'verification-failed-focal'.
If verification is not done by 5 working days from today, this fix will
be dropped from the source code, and this bug will be closed.
See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
to enable and use -proposed. Thank you!
** Tags added: verification-needed-focal
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: ubuntu-power-systems
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: linux (Ubuntu Focal)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
In Progress
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Also affects: linux (Ubuntu Groovy)
Importance: Undecided
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: In Progress
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Focal)
Status: New => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
In Progress
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Focal:
In Progress
Status in linux source package in Groovy:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Kernel SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#110532
Updating status to 'In Progress'.
** Changed in: linux (Ubuntu)
Status: Triaged => In Progress
** Changed in: ubuntu-power-systems
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
In Progress
Status in linux package in Ubuntu:
In Progress
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
SRU stands for "Stable Release Update" and describes the process that is
needed to get a patch (or patches) to fix critical issues into
components that are part of an Ubuntu version that is already released
(post GA).
The process for packages (https://wiki.ubuntu.com/StableReleaseUpdates)
is slightly different compared to the SRU process for the kernel:
https://wiki.ubuntu.com/KernelTeam/KernelUpdates
But there is also such a 'stable release update' process in use upstream
at kernel.org.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Triaged
Status in linux package in Ubuntu:
Triaged
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall will fail (unless the module signing public key got loaded
onto the IMA keyring) without having the patch in place.
* The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code
changes, especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not
affect any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Description changed:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not
enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with 'module.sig_enforce=1'
set at the boot command.
* If the IMA module appraise rule is included, the finit_module syscall
will fail (unless the module signing public key got loaded onto the IMA
keyring) without having the patch in place.
- * The verificatiob needs to be done by the IBM Power team.
+ * The verification needs to be done by the IBM Power team.
[Regression Potential]
* There is (always) a certain regression risk with having code changes,
especially in the secure boot area.
* But this patch is limited to the powerpc platform and will not affect
any other architecture.
* It got discussed at
https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com
- before it became finally upstream accepted with kernel 5.7-rc7.
+ before it became finally upstream accepted with kernel 5.7-rc7.
* The secure boot code itself wasn't really touched, rather than it's basis
for execution.
- The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
- Hence the change is very limited and straightforward.
+ The IMA policy rule for module appraisal is now added only if
'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE).
+ Hence the change is very limited and straightforward.
[Other]
* Since the patch got upstream with 5.7-rc7, it is already in groovy, hence
this SRU is for focal only.
__
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece - only
half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will get
opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
** Changed in: linux (Ubuntu)
Status: Incomplete => Triaged
** Changed in: ubuntu-power-systems
Status: Incomplete => Triaged
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Triaged
Status in linux package in Ubuntu:
Triaged
Bug description:
SRU Justification:
==
[Impact]
* Currently the kernel module appended signature is verified twice
(finit_module) - once by the module_sig_check() and again by IMA.
* To prevent this the powerpc secure boot rules define an IMA
architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is
not enabled.
* But this doesn't take the ability into account of enabling
"sig_enforce" at the boot command line (module.sig_enforce=1).
* Including the IMA module appraise rule results in failing the
finit_module syscall, unless the module signing public key is loaded
onto the IMA keyring.
* This patch fixes secure boot policy rules to be based on
CONFIG_MODULE_SIG instead.
[Fix]
* fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
Fix secure boot rules in ima arch policy"
[Test Case]
* Perform a secure boot on a powerpc system with
'module.sig_enforce=1' set at the boot command.
* If the IMA module appraise rule is included, the finit_module
syscall
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Description changed:
+ SRU Justification:
+ ==
+
+ [Impact]
+
+ * A qeth device on a DPM-managed (HMC) IBM Z machine does not obtain its
+ MAC address for layer2 OSD interfaces from the OSA Network Adapter,
+ instead it uses a random MAC address.
+
+ * This can cause connectivity issues in environments where reliable and
+ pre-determined MAC addresses are required, ie. when doing network
+ configuration based on DHCP.
+
+ [Fix]
+
+ * Backport 1: https://launchpadlibrarian.net/481647649/0001-s390-qeth-
+ improve-fallback-to-random-MAC-address.patch
+
+ * Backport 2: https://launchpadlibrarian.net/481647657/0002-s390-qeth-
+ utilize-virtual-MAC-for-Layer2-OSD-devices.patch
+
+ [Test Case]
+
+ * Bring up a qeth L2 OSD interface in DPM-managed (HMC) LPAR
+
+ * Inspect the interface's MAC address. It should be the same as
+ displayed in the HMC DPM panels.
+
+ * Due to the fact that a system is needed where the HMC is in DPM moce
+ (rather than in classic mode) this needs to be tested by IBM.
+
+ [Regression Potential]
+
+ * There is a certain risk for a regression, since OSA devices are the
+ standard netweork devices on s390x.
+
+ * But static network configurations are still more popular for the
+ usually long running workload on s390x and not dynamic assignments.
+
+ * On the other hand qeth devices are s390x only, so this will at least
+ not affect common code or code for other architectures.
+
+ * The modifications are limited to drivers/s390/net/qeth_*.
+
+ * The patches are upstream since quite a while, which speaks for their
+ stability.
+
+ [Other Info]
+
+ * The upstream patch 21b1702af12e "s390/qeth: improve fallback to random
+ MAC address" got upstream accepted with 4.18, hence is already in all
+ Ubuntu release that are newer than bionic
+
+ * And the upstream patch b144b99fff69 "s390/qeth: utilize virtual MAC
+ for Layer2 OSD devices" got upstream accepted with 5.0, hence is also
+ already in all Ubuntu release that are newer than bionic.
+
+ __
+
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece - only
half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will get
opened as separate issue to be addressed later.
Thanks & Regards,
-- Nayna
+ - Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
** Description changed:
SRU Justification:
==
[Impact]
- * A qeth device on a DPM-managed (HMC) IBM Z machine does not obtain its
- MAC address for layer2 OSD interfaces from the OSA Network Adapter,
- instead it uses a random MAC address.
+ * Currently the kernel module appended signature is verified twice
+ (finit_module) - once by the module_sig_check() and again by IMA.
- * This can cause connectivity issues in environments where reliable and
- pre-determined MAC addresses are required, ie. when doing network
- configuration based on DHCP.
+ * To prevent this the powerpc secure boot rules define an IMA
+ architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not
+ enabled.
+
+ * But this doesn't take the ability into account of enabling
+ "sig_enforce" at the boot command line (module.sig_enforce=1).
+
+ * Including the IMA module appraise rule results in failing the
+ finit_module syscall, unless the module signing public key is loaded
+ onto the IMA keyring.
+
+ * This patch fixes secure boot policy rules to be based on
+ CONFIG_MODULE_SIG instead.
[Fix]
- * Backport 1: https://launchpadlibrarian.net/481647649/0001-s390-qeth-
- improve-fallback-to-random-MAC-address.patch
-
- * Backport 2: https://launchpadlibrarian.net/481647657/0002-s390-qeth-
- utilize-virtual-MAC-for-Layer2-OSD-devices.patch
+ * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima:
+ Fix secure boot rules in ima arch policy"
[Test Case]
- * Bring up a qeth L2 OSD interface in DPM-managed (HMC) LPAR
+ * Perform a secure boot on a powerpc system with 'module.sig_enforce=1'
+ set at the boot command.
- * Inspect the interface's MAC address. It should be the same as
- displayed in the HMC DPM panels.
+ * If the IMA module appraise rule is included, the finit_module syscall
+ will fail (unless the module signing public key got loaded onto the IMA
+
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
I had another look at the entire thread at lore.kernel.org:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-email-na...@linux.ibm.com/T/#u
and think patch
"powerpc/ima: Fix secure boot rules in ima arch policy"
is the one that fixes 'powerpc/ima: fix secure boot rules in ima arch policy'.
I looked it up in linux-next and found it:
$ git log --oneline --grep "powerpc/ima: Fix secure boot rules in ima arch
policy"
fa4f3f56ccd2 powerpc/ima: Fix secure boot rules in ima arch policy
$ git tag --contains fa4f3f56ccd2
next-20200514
next-20200515
next-20200518
next-20200526
v5.7-rc6
v5.7-rc7
So, looks like it got recently upstream accepted.
If you can confirm that fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules
in ima arch policy" is the correct patch that need to be SRUed, I'll
submit it for the next SRU cycle (with last for for commit June 3rd).
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Incomplete
Status in linux package in Ubuntu:
Incomplete
Bug description:
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Thx for creating this separate bug.
I just need to set it to Incomplete until the patch got upstream accepted and
is available for example from 'linux-next' (which is not yet the case, but
probably soon).
In preparation for the SRU process I changed the bug title.
** Summary changed:
- Followon for Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot
+ Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: linux (Ubuntu)
Status: New => Incomplete
** Changed in: ubuntu-power-systems
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1877955
Title:
Fix for secure boot rules in IMA arch policy on powerpc
Status in The Ubuntu-power-systems project:
Incomplete
Status in linux package in Ubuntu:
Incomplete
Bug description:
== Comment: #0 - Michael Ranweiler - 2020-04-22
14:44:31 ==
+++ This bug was initially created as a clone of Bug #184073 +++
This bug is a follow on to LP 1866909 to address a missing piece -
only half the following patch was included in 5.4.0-24.28.
The upstream patch has an additional fix but it?s not critical for GA.
It can get included as part of bug fixes. It also affects only power.
The patch("powerpc/ima: fix secure boot rules in ima arch policy") is
posted to linux-integrity and linuxppc-dev mailing list
(https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send-
email-na...@linux.ibm.com/T/#u)
If there are any issues identified during further testing, they will
get opened as separate issue to be addressed later.
Thanks & Regards,
- Nayna
== Comment: #4 - Michael Ranweiler - 2020-05-11
02:23:35 ==
Updated posting:
https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-
email-na...@linux.ibm.com/T/#u
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
