[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
This bug was fixed in the package linux-kvm - 5.13.0-1006.6+22.04.1 --- linux-kvm (5.13.0-1006.6+22.04.1) jammy; urgency=medium * jammy/linux-kvm: 5.13.0-1006.6+22.04.1 -proposed tracker (LP: #1949727) * Packaging resync (LP: #1786013) - [Packaging] update Ubuntu.md - [Packaging] update update.conf - debian/dkms-versions -- update from kernel-versions (main/2021.11.08) [ Ubuntu: 5.13.0-1006.6 ] * impish/linux-kvm: 5.13.0-1006.6 -proposed tracker (LP: #1949728) * impish/linux: 5.13.0-22.22 -proposed tracker (LP: #1949740) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.11.08) * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164) - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit() * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516) - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc * CVE-2021-3744 // CVE-2021-3764 - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351) - powerpc/bpf: Fix BPF_MOD when imm == 1 * Fix Screen freeze after resume from suspend with iGPU [1002:6987] (LP: #1949050) - drm/amdgpu: reenable BACO support for 699F:C7 polaris12 SKU - drm/amdgpu: add missing cleanups for Polaris12 UVD/VCE on suspend - drm/amdgpu: Fix crash on device remove/driver unload * Intel I225-IT ethernet controller: igc: probe of :02:00.0 failed with error -1 (LP: #1945576) - igc: Remove _I_PHY_ID checking - igc: Remove phy->type checking * Fail to detect audio output from external monitor (LP: #1948767) - ALSA: hda: intel: Allow repeatedly probing on codec configuration errors * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" (LP: #1947709) - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" * rtw89 kernel module for Realtek 8852 wifi is missing (LP: #1945967) - rtw89: add Realtek 802.11ax driver - rtw89: Remove redundant check of ret after call to rtw89_mac_enable_bb_rf - rtw89: fix return value check in rtw89_cam_send_sec_key_cmd() - rtw89: remove unneeded semicolon - [Config] RTW89=m * Impish update: upstream stable patchset 2021-11-03 (LP: #1949636) - mm: fix uninitialized use in overcommit_policy_handler - usb: gadget: r8a66597: fix a loop in set_feature() - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() - cifs: fix incorrect check for null pointer in header_assemble - xen/x86: fix PV trap handling on secondary processors - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter - USB: cdc-acm: fix minor-number release - Revert "USB: bcma: Add a check for devm_gpiod_get" - binder: make sure fd closes complete - staging: greybus: uart: fix tty use after free - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk - usb: dwc3: core: balance phy init and exit - usb: core: hcd: Add support for deferring roothub registration - USB: serial: mos7840: remove duplicated 0xac24 device ID - USB: serial: option: add Telit LN920 compositions - USB: serial: option: remove duplicate USB device ID - USB: serial: option: add device id for Foxconn T99W265 - mcb: fix error handling in mcb_alloc_bus() - erofs: fix up erofs_lookup tracepoint - btrfs: prevent __btrfs_dump_space_info() to underflow its free space - xhci: Set HCD flag to defer primary roothub registration - serial: 8250: 8250_omap: Fix RX_LVL register offset - serial: mvebu-uart: fix driver's tx_empty callback - scsi: sd_zbc: Ensure buffer size is aligned to SECTOR_SIZE - drm/amd/pm: Update intermediate power state for SI - net: hso: fix muxed tty registration - comedi: Fix memory leak in compat_insnlist() - afs: Fix incorrect triggering of sillyrename on 3rd-party invalidation - afs: Fix updating of i_blocks on file/dir extension - platform/x86/intel: punit_ipc: Drop wrong use of ACPI_PTR() - enetc: Fix illegal access when reading affinity_hint - enetc: Fix uninitialized struct dim_sample field usage - bnxt_en: Fix TX timeout when TX ring size is set to the smallest - net: hns3: fix change RSS 'hfunc' ineffective issue - net: hns3: check queue id range before using - net/smc: add missing error check in smc_clc_prfx_set() - net/smc: fix 'workqueue leaked lock' in smc_conn_abort_work - net: dsa: don't allocate the slave_mii_bus using devres - net: dsa: realtek: register the MDIO bus under devres - kselftest/arm64: signal: Add SVE to the set of features we can check for
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
This bug was fixed in the package linux-kvm - 5.13.0-1005.5 --- linux-kvm (5.13.0-1005.5) impish; urgency=medium * impish/linux-kvm: 5.13.0-1005.5 -proposed tracker (LP: #1947340) * Packaging resync (LP: #1786013) - [Packaging] update Ubuntu.md * When booting with UEFI, mokvar table and %:.platform keyring must be available (LP: #1942319) - [Config] Enable Trusted, Platform, Secondary Keyrings [ Ubuntu: 5.13.0-21.21 ] * impish/linux: 5.13.0-21.21 -proposed tracker (LP: #1947347) * It hangs while booting up with AMD W6800 [1002:73A3] (LP: #1945553) - drm/amdgpu: Rename flag which prevents HW access - drm/amd/pm: Fix a bug communicating with the SMU (v5) - drm/amd/pm: Fix a bug in semaphore double-lock * Add final-checks to check certificates (LP: #1947174) - [Packaging] Add system trusted and revocation keys final check * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s Gen2 (LP: #1939052) - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops. - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 * Check for changes relevant for security certifications (LP: #1945989) - [Packaging] Add a new fips-checks script - [Packaging] Add fips-checks as part of finalchecks * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707) - bnx2x: Fix enabling network interfaces without VFs * CVE-2021-3759 - memcg: enable accounting of ipc resources * [impish] Remove the downstream xr-usb-uart driver (LP: #1945938) - SAUCE: xr-usb-serial: remove driver - [Config] update modules list * Fix A yellow screen pops up in an instant (< 1 second) and then disappears before loading the system (LP: #1945932) - drm/i915: Stop force enabling pipe bottom color gammma/csc * Impish update: v5.13.18 upstream stable release (LP: #1946249) - Linux 5.13.18 * Impish update: v5.13.17 upstream stable release (LP: #1946247) - locking/mutex: Fix HANDOFF condition - regmap: fix the offset of register error log - regulator: tps65910: Silence deferred probe error - crypto: mxs-dcp - Check for DMA mapping errors - sched/deadline: Fix reset_on_fork reporting of DL tasks - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() - sched/deadline: Fix missing clock update in migrate_task_rq_dl() - rcu/tree: Handle VM stoppage in stall detection - EDAC/mce_amd: Do not load edac_mce_amd module on guests - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() - hrtimer: Ensure timerfd notification for HIGHRES=n - udf: Check LVID earlier - udf: Fix iocharset=utf8 mount option - isofs: joliet: Fix iocharset=utf8 mount option - bcache: add proper error unwinding in bcache_device_init - nbd: add the check to prevent overflow in __nbd_ioctl() - blk-throtl: optimize IOPS throttle for large IO scenarios - nvme-tcp: don't update queue count when failing to set io queues - nvme-rdma: don't update queue count when failing to set io queues - nvmet: pass back cntlid on successful completion - power: supply: smb347-charger: Add missing pin control activation - power: supply: max17042_battery: fix typo in MAx17042_TOFF - s390/cio: add dev_busid sysfs entry for each subchannel - s390/zcrypt: fix wrong offset index for APKA master key valid state - libata: fix ata_host_start() - sched/topology: Skip updating masks for non-online nodes - crypto: omap - Fix inconsistent locking of device lists - crypto: qat - do not ignore errors from enable_vf2pf_comms() - crypto: qat - handle both source of interrupt in VF ISR - crypto: qat - fix reuse of completion variable - crypto: qat - fix naming for init/shutdown VF to PF notifications - crypto: qat - do not export adf_iov_putmsg() - crypto: hisilicon/sec - fix the abnormal exiting process - crypto: hisilicon/sec - modify the hardware endian configuration - crypto: tcrypt - Fix missing return value check - fcntl: fix potential deadlocks for _struct.lock - fcntl: fix potential deadlock for _struct.fa_lock - udf_get_extendedattr() had no boundary checks. - io-wq: remove GFP_ATOMIC allocation off schedule out path - s390/kasan: fix large PMD pages address alignment check - s390/pci: fix misleading rc in clp_set_pci_fn() - s390/debug: keep debug data on resize - s390/debug: fix debug area life cycle - s390/ap: fix state machine hang after failure to enable irq - sched/debug: Don't update sched_domain debug directories before sched_debug_init() - power: supply: cw2015: use dev_err_probe to allow deferred probe - m68k: emu: Fix invalid free in nfeth_cleanup()
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
Booted impish lxd vm; enabled proposed and upgraded to the new kvm abi: # uname -a Linux leading-fly 5.13.0-1005-kvm #5-Ubuntu SMP Tue Oct 26 23:55:45 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux # ls /sys/firmware/efi/mok-variables/ MokListRT MokListXRT SbatLevelRT # keyctl list %:.blacklist | head 80 keys in keyring: 252860331: ---lswrv 0 0 blacklist: bin:82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67 676962175: ---lswrv 0 0 blacklist: bin:7827af99362cfaf0717dade4b1bfe0438ad171c15addc248b75bf8caa44bb2c5 1059112409: ---lswrv 0 0 blacklist: bin:8d8ea289cfe70a1c07ab7365cb28ee51edd33cf2506de888fbadd60ebf80481c 990976823: ---lswrv 0 0 blacklist: bin:fddd6e3d29ea84c7743dad4a1bdbc700b5fec1b391f932409086acc71dd6dbd8 772477785: ---lswrv 0 0 blacklist: bin:b97a0889059c035ff1d54b6db53b11b978d9f955247c028b2837d7a04cd9 234365151: ---lswrv 0 0 blacklist: bin:d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1 812179032: ---lswrv 0 0 blacklist: bin:c409bdac4775add8db92aa22b5b718fb8c94a1462c1fe9a416b95d8a3388c2fc 1025256417: ---lswrv 0 0 blacklist: bin:939aeef4f5fa51e23340c3f2e49048ce8872526afdf752c3a7f3a3f2bc9f6049 442082266: ---lswrv 0 0 blacklist: bin:075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238 # keyctl list %:.blacklist | grep asym 73781777: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0 # keyctl list %:.platform 3 keys in keyring: 848858004: ---lswrv 0 0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53 221029845: ---lswrv 0 0 asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 730971307: ---lswrv 0 0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4 mok-variables, blacklist, and platform keyrings are now there. ** Tags removed: verification-needed-impish ** Tags added: verification-done-impish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
failing to get lxd to work to verify this. will try again tomorrow. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
This bug is awaiting verification that the linux-kvm/5.13.0-1005.5 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-impish -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
** Changed in: linux-kvm (Ubuntu Impish) Status: New => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
** Also affects: linux-kvm (Ubuntu Impish) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1942319] Re: When booting with UEFI, mokvar table and %:.platform keyring must be available
** Description changed: - When booting with UEFI, mokvar table and %:.platform keyring must be - available + [Impact] + + * When booting with UEFI, mokvar table and %:.platform keyring must be + available. These are required for builtin revocation certificates to be + present, shim builtin certificates to be present and thus support to + signed & verified kexec present. It also allows revocation of signed lrm + and livepatch drivers which are trusted by this kernel. + + * The kvm annotations are very minimal, v3 format, and the parent + kernel's annotations are not enforced. + + [Test Plan] + + * Check that /sys/firmware/efi/mok-variables/ is available + + * Check that %:.blacklist keyring is populated + +$ sudo keyctl list %:.blacklist + + + * Check that %:.platform keyring is populated + +$ sudo keyctl list %:.platform + + [Where problems could occur] + + * Given how small the kvm config is, it is not clear if all of lockdown + features are correctly enabled. Specifically measuring and appraising + things with integrity framework. It is possible further config changes + will be required to make kvm flavour as hardened as generic one. + + [Other Info] + + * This issue was discovered whilst working on https://bugs.launchpad.net/bugs/1928679 and https://bugs.launchpad.net/bugs/1932029 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs