[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: ubuntu-power-systems Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Released Status in linux package in Ubuntu: Fix Released Status in linux source package in Focal: Fix Released Status in linux source package in Groovy: Fix Released Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug was fixed in the package linux - 5.4.0-42.46 --- linux (5.4.0-42.46) focal; urgency=medium * focal/linux: 5.4.0-42.46 -proposed tracker (LP: #1887069) * linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668) - SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups" linux (5.4.0-41.45) focal; urgency=medium * focal/linux: 5.4.0-41.45 -proposed tracker (LP: #1885855) * Packaging resync (LP: #1786013) - update dkms package versions * CVE-2019-19642 - kernel/relay.c: handle alloc_percpu returning NULL in relay_open * CVE-2019-16089 - SAUCE: nbd_genl_status: null check for nla_nest_start * CVE-2020-11935 - aufs: do not call i_readcount_inc() * ip_defrag.sh in net from ubuntu_kernel_selftests failed with 5.0 / 5.3 / 5.4 kernel (LP: #1826848) - selftests: net: ip_defrag: ignore EPERM * Update lockdown patches (LP: #1884159) - SAUCE: acpi: disallow loading configfs acpi tables when locked down * seccomp_bpf fails on powerpc (LP: #1885757) - SAUCE: selftests/seccomp: fix ptrace tests on powerpc * Introduce the new NVIDIA 418-server and 440-server series, and update the current NVIDIA drivers (LP: #1881137) - [packaging] add signed modules for the 418-server and the 440-server flavours -- Khalid Elmously Thu, 09 Jul 2020 19:50:26 -0400 ** Changed in: linux (Ubuntu Groovy) Status: In Progress => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-16089 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19642 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-11935 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: Fix Released Status in linux source package in Focal: Fix Released Status in linux source package in Groovy: Fix Released Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. T
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug was fixed in the package linux - 5.4.0-40.44 --- linux (5.4.0-40.44) focal; urgency=medium * linux-oem-5.6-tools-common and -tools-host should be dropped (LP: #1881120) - [Packaging] Add Conflicts/Replaces to remove linux-oem-5.6-tools-common and -tools-host * Packaging resync (LP: #1786013) - [Packaging] update helper scripts * Slow send speed with Intel I219-V on Ubuntu 18.04.1 (LP: #1802691) - e1000e: Disable TSO for buffer overrun workaround * CVE-2020-0543 - UBUNTU/SAUCE: x86/speculation/srbds: do not try to turn mitigation off when not supported * Realtek 8723DE [10ec:d723] subsystem [10ec:d738] disconnects unsolicitedly when Bluetooth is paired: Reason: 23=IEEE8021X_FAILED (LP: #1878147) - SAUCE: Revert "UBUNTU: SAUCE: rtw88: Move driver IQK to set channel before association for 11N chip" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: fix rate for a while after being connected" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: No retry and report for auth and assoc" - SAUCE: Revert "UBUNTU: SAUCE: rtw88: 8723d: Add coex support" - rtw88: add a debugfs entry to dump coex's info - rtw88: add a debugfs entry to enable/disable coex mechanism - rtw88: 8723d: Add coex support - SAUCE: rtw88: coex: 8723d: set antanna control owner - SAUCE: rtw88: coex: 8723d: handle BT inquiry cases - SAUCE: rtw88: fix EAPOL 4-way failure by finish IQK earlier * CPU stress test fails with focal kernel (LP: #1867900) - [Config] Disable hisi_sec2 temporarily * Enforce all config annotations (LP: #1879327) - [Config]: do not enforce CONFIG_VERSION_SIGNATURE - [Config]: prepare to enforce all - [Config]: enforce all config options * Focal update: v5.4.44 upstream stable release (LP: #1881927) - ax25: fix setsockopt(SO_BINDTODEVICE) - dpaa_eth: fix usage as DSA master, try 3 - net: don't return invalid table id error when we fall back to PF_UNSPEC - net: dsa: mt7530: fix roaming from DSA user ports - net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend - __netif_receive_skb_core: pass skb by reference - net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* - net: ipip: fix wrong address family in init error path - net/mlx5: Add command entry handling completion - net: mvpp2: fix RX hashing for non-10G ports - net: nlmsg_cancel() if put fails for nhmsg - net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() - net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" - net sched: fix reporting the first-time use timestamp - net/tls: fix race condition causing kernel panic - nexthop: Fix attribute checking for groups - r8152: support additional Microsoft Surface Ethernet Adapter variant - sctp: Don't add the shutdown timer if its already been added - sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed - tipc: block BH before using dst_cache - net/mlx5e: kTLS, Destroy key object after destroying the TIS - net/mlx5e: Fix inner tirs handling - net/mlx5: Fix memory leak in mlx5_events_init - net/mlx5e: Update netdev txq on completions during closure - net/mlx5: Fix error flow in case of function_setup failure - net/mlx5: Annotate mutex destroy for root ns - net/tls: fix encryption error checking - net/tls: free record only on encryption error - net: sun: fix missing release regions in cas_init_one(). - net/mlx4_core: fix a memory leak bug. - mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails - ARM: dts: rockchip: fix phy nodename for rk3228-evb - ARM: dts: rockchip: fix phy nodename for rk3229-xms6 - arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts - arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node - ARM: dts: rockchip: swap clock-names of gpu nodes - ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi - gpio: tegra: mask GPIO IRQs during IRQ shutdown - ALSA: usb-audio: add mapping for ASRock TRX40 Creator - net: microchip: encx24j600: add missed kthread_stop - gfs2: move privileged user check to gfs2_quota_lock_check - gfs2: Grab glock reference sooner in gfs2_add_revoke - drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate - drm/amd/powerplay: perform PG ungate prior to CG ungate - drm/amdgpu: Use GEM obj reference for KFD BOs - cachefiles: Fix race between read_waiter and read_copier involving op->to_do - usb: dwc3: pci: Enable extcon driver for Intel Merrifield - usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' - usb: gadget: legacy: fix redundant initialization warnings - net: freescale: select CONFIG_FIXED_PHY where needed - IB/i40iw: Remo
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Great, many thx for the verification! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
--- Comment From naynj...@ibm.com 2020-06-17 11:42 EDT--- Thanks !! This is exactly what I needed. I am now able to boot the signed kernel both in "secure and trusted enabled" and "only secure enabled" case. The earlier patch was missing the fix for "only secure enabled" case. This patch took care of both. It works fine and here are the test results: 1. Kernel booted fine both with secure boot enabled/disabled and only "secure boot" enabled. 2. With trusted boot disabled, here is the IMA rules: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist 2. With both secure and trusted boot enabled, here how the IMA rules looks like: ubuntu@ltc-wspoon13:~$ ls /proc/device-tree/ibm,secureboot/ compatible hw-key-hash hw-key-hash-size ibm,cvc name os-secureboot-enforcing phandle secure-enabled trusted-enabled ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/ima/policy [sudo] password for ubuntu: measure func=KEXEC_KERNEL_CHECK template=ima-modsig measure func=MODULE_CHECK template=ima-modsig appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig|modsig appraise_flag=check_blacklist And the config file has CONFIG_MODULE_SIG enabled, on which the powerpc IMA arch policies #ifdef are dependent. ubuntu@ltc-wspoon13:~$ grep -i MODULE_SIG /boot/config-5.4.0-38-generic CONFIG_MODULE_SIG_FORMAT=y CONFIG_MODULE_SIG=y # CONFIG_MODULE_SIG_FORCE is not set CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set # CONFIG_MODULE_SIG_SHA224 is not set # CONFIG_MODULE_SIG_SHA256 is not set # CONFIG_MODULE_SIG_SHA384 is not set CONFIG_MODULE_SIG_SHA512=y CONFIG_MODULE_SIG_HASH="sha512" CONFIG_MODULE_SIG_KEY="certs/signing_key.pem" Thanks & Regards, - Nayna ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The pa
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
So in general the key should be part of the firmware, in case of a standard IBM Power system, that is shipped to customers with secureboot support, A kernel from proposed is part of the official Ubuntu archive and with that signed with the standard production key. But that might be different in case a development system is in use or so ... Anyway, the key can also be found at the Ubuntu archive pages: here: http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/ http://ports.ubuntu.com/ubuntu-ports/dists/focal/main/signed/linux-ppc64el/current/signed.tar.gz or the link for proposed: http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/ http://ports.ubuntu.com/ubuntu-ports/dists/focal-proposed/main/signed/linux-ppc64el/current/signed.tar.gz -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Hi, Each signed object is published on in the repository under /$suite/main/signed/$src-$arch. I.e. the linux in focal proposed signed artefacts can be found at: http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux-ppc64el/ I.e. http://ports.ubuntu.com/dists/focal-proposed/main/signed/linux- ppc64el/5.4.0-38.42/signed.tar.gz inside that tarball, there should be $version/control/opal.x509 public certificate that is used for signing. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Hi, since 'proposed' belongs to the official archives (archive.ubuntu.com/ubuntu) and packages from proposed are just located in a special area there (we call it the proposed 'pocket'), kernels and other packages from there that are signed, are signed with the standard and common key. Only a signed kernel that comes from a non-standard archive (like a PPA) is signed with a different key, hence requires and additional key file. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: ubuntu-power-systems Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Fix Committed Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: In Progress Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Also affects: linux (Ubuntu Groovy) Importance: Undecided Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) Status: In Progress ** Also affects: linux (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: In Progress Status in linux package in Ubuntu: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Groovy: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Kernel SRU request submitted: https://lists.ubuntu.com/archives/kernel-team/2020-May/thread.html#110532 Updating status to 'In Progress'. ** Changed in: linux (Ubuntu) Status: Triaged => In Progress ** Changed in: ubuntu-power-systems Status: Triaged => In Progress -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: In Progress Status in linux package in Ubuntu: In Progress Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
SRU stands for "Stable Release Update" and describes the process that is needed to get a patch (or patches) to fix critical issues into components that are part of an Ubuntu version that is already released (post GA). The process for packages (https://wiki.ubuntu.com/StableReleaseUpdates) is slightly different compared to the SRU process for the kernel: https://wiki.ubuntu.com/KernelTeam/KernelUpdates But there is also such a 'stable release update' process in use upstream at kernel.org. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Triaged Status in linux package in Ubuntu: Triaged Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Description changed: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall will fail (unless the module signing public key got loaded onto the IMA keyring) without having the patch in place. - * The verificatiob needs to be done by the IBM Power team. + * The verification needs to be done by the IBM Power team. [Regression Potential] * There is (always) a certain regression risk with having code changes, especially in the secure boot area. * But this patch is limited to the powerpc platform and will not affect any other architecture. * It got discussed at https://lore.kernel.org/r/1588342612-14532-1-git-send-email-na...@linux.ibm.com - before it became finally upstream accepted with kernel 5.7-rc7. + before it became finally upstream accepted with kernel 5.7-rc7. * The secure boot code itself wasn't really touched, rather than it's basis for execution. - The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). - Hence the change is very limited and straightforward. + The IMA policy rule for module appraisal is now added only if 'CONFIG_MODULE_SIG' is not enabled (instead of CONFIG_MODULE_SIG_FORCE). + Hence the change is very limited and straightforward. [Other] * Since the patch got upstream with 5.7-rc7, it is already in groovy, hence this SRU is for focal only. __ == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u ** Changed in: linux (Ubuntu) Status: Incomplete => Triaged ** Changed in: ubuntu-power-systems Status: Incomplete => Triaged -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Triaged Status in linux package in Ubuntu: Triaged Bug description: SRU Justification: == [Impact] * Currently the kernel module appended signature is verified twice (finit_module) - once by the module_sig_check() and again by IMA. * To prevent this the powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. * But this doesn't take the ability into account of enabling "sig_enforce" at the boot command line (module.sig_enforce=1). * Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. * This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. [Fix] * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" [Test Case] * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' set at the boot command. * If the IMA module appraise rule is included, the finit_module syscall wi
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
** Description changed: + SRU Justification: + == + + [Impact] + + * A qeth device on a DPM-managed (HMC) IBM Z machine does not obtain its + MAC address for layer2 OSD interfaces from the OSA Network Adapter, + instead it uses a random MAC address. + + * This can cause connectivity issues in environments where reliable and + pre-determined MAC addresses are required, ie. when doing network + configuration based on DHCP. + + [Fix] + + * Backport 1: https://launchpadlibrarian.net/481647649/0001-s390-qeth- + improve-fallback-to-random-MAC-address.patch + + * Backport 2: https://launchpadlibrarian.net/481647657/0002-s390-qeth- + utilize-virtual-MAC-for-Layer2-OSD-devices.patch + + [Test Case] + + * Bring up a qeth L2 OSD interface in DPM-managed (HMC) LPAR + + * Inspect the interface's MAC address. It should be the same as + displayed in the HMC DPM panels. + + * Due to the fact that a system is needed where the HMC is in DPM moce + (rather than in classic mode) this needs to be tested by IBM. + + [Regression Potential] + + * There is a certain risk for a regression, since OSA devices are the + standard netweork devices on s390x. + + * But static network configurations are still more popular for the + usually long running workload on s390x and not dynamic assignments. + + * On the other hand qeth devices are s390x only, so this will at least + not affect common code or code for other architectures. + + * The modifications are limited to drivers/s390/net/qeth_*. + + * The patches are upstream since quite a while, which speaks for their + stability. + + [Other Info] + + * The upstream patch 21b1702af12e "s390/qeth: improve fallback to random + MAC address" got upstream accepted with 4.18, hence is already in all + Ubuntu release that are newer than bionic + + * And the upstream patch b144b99fff69 "s390/qeth: utilize virtual MAC + for Layer2 OSD devices" got upstream accepted with 5.0, hence is also + already in all Ubuntu release that are newer than bionic. + + __ + == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, -- Nayna + - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u ** Description changed: SRU Justification: == [Impact] - * A qeth device on a DPM-managed (HMC) IBM Z machine does not obtain its - MAC address for layer2 OSD interfaces from the OSA Network Adapter, - instead it uses a random MAC address. + * Currently the kernel module appended signature is verified twice + (finit_module) - once by the module_sig_check() and again by IMA. - * This can cause connectivity issues in environments where reliable and - pre-determined MAC addresses are required, ie. when doing network - configuration based on DHCP. + * To prevent this the powerpc secure boot rules define an IMA + architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not + enabled. + + * But this doesn't take the ability into account of enabling + "sig_enforce" at the boot command line (module.sig_enforce=1). + + * Including the IMA module appraise rule results in failing the + finit_module syscall, unless the module signing public key is loaded + onto the IMA keyring. + + * This patch fixes secure boot policy rules to be based on + CONFIG_MODULE_SIG instead. [Fix] - * Backport 1: https://launchpadlibrarian.net/481647649/0001-s390-qeth- - improve-fallback-to-random-MAC-address.patch - - * Backport 2: https://launchpadlibrarian.net/481647657/0002-s390-qeth- - utilize-virtual-MAC-for-Layer2-OSD-devices.patch + * fa4f3f56ccd28ac031ab275e673ed4098855fed4 fa4f3f56ccd2 "powerpc/ima: + Fix secure boot rules in ima arch policy" [Test Case] - * Bring up a qeth L2 OSD interface in DPM-managed (HMC) LPAR + * Perform a secure boot on a powerpc system with 'module.sig_enforce=1' + set at the boot command. - * Inspect the interface's MAC address. It should be the same as - displayed in the HMC DPM panels. + * If the IMA module appraise rule is included, the finit_module syscall + will fail (unless the module signing public key got loaded onto the IMA + keyr
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
I had another look at the entire thread at lore.kernel.org: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send-email-na...@linux.ibm.com/T/#u and think patch "powerpc/ima: Fix secure boot rules in ima arch policy" is the one that fixes 'powerpc/ima: fix secure boot rules in ima arch policy'. I looked it up in linux-next and found it: $ git log --oneline --grep "powerpc/ima: Fix secure boot rules in ima arch policy" fa4f3f56ccd2 powerpc/ima: Fix secure boot rules in ima arch policy $ git tag --contains fa4f3f56ccd2 next-20200514 next-20200515 next-20200518 next-20200526 v5.7-rc6 v5.7-rc7 So, looks like it got recently upstream accepted. If you can confirm that fa4f3f56ccd2 "powerpc/ima: Fix secure boot rules in ima arch policy" is the correct patch that need to be SRUed, I'll submit it for the next SRU cycle (with last for for commit June 3rd). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1877955] Re: Fix for secure boot rules in IMA arch policy on powerpc
Thx for creating this separate bug. I just need to set it to Incomplete until the patch got upstream accepted and is available for example from 'linux-next' (which is not yet the case, but probably soon). In preparation for the SRU process I changed the bug title. ** Summary changed: - Followon for Ubuntu Kernel Support for OpenPOWER NV Secure & Trusted Boot + Fix for secure boot rules in IMA arch policy on powerpc ** Changed in: linux (Ubuntu) Status: New => Incomplete ** Changed in: ubuntu-power-systems Status: New => Incomplete -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1877955 Title: Fix for secure boot rules in IMA arch policy on powerpc Status in The Ubuntu-power-systems project: Incomplete Status in linux package in Ubuntu: Incomplete Bug description: == Comment: #0 - Michael Ranweiler - 2020-04-22 14:44:31 == +++ This bug was initially created as a clone of Bug #184073 +++ This bug is a follow on to LP 1866909 to address a missing piece - only half the following patch was included in 5.4.0-24.28. The upstream patch has an additional fix but it?s not critical for GA. It can get included as part of bug fixes. It also affects only power. The patch("powerpc/ima: fix secure boot rules in ima arch policy") is posted to linux-integrity and linuxppc-dev mailing list (https://lore.kernel.org/linux-integrity/1586549618-6106-1-git-send- email-na...@linux.ibm.com/T/#u) If there are any issues identified during further testing, they will get opened as separate issue to be addressed later. Thanks & Regards, - Nayna == Comment: #4 - Michael Ranweiler - 2020-05-11 02:23:35 == Updated posting: https://lore.kernel.org/linux-integrity/1588342612-14532-1-git-send- email-na...@linux.ibm.com/T/#u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1877955/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp