** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Description changed:
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that
are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with
SecureBoot, please add Canonical Livepatch service key as trusted in the
kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx,
and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the
built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch
Signing: 14df34d1a87cf37625abec039ef2bf521249b969
-
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image
will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint
-sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout
-fingerprint -sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
+
+ [Target kernels]
+
+ bionic and up, across the board, but maybe excluding fips kernels?!
** Description changed:
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that
are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with
SecureBoot, please add Canonical Livepatch service key as trusted in the
kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx,
and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the
built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch
Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image
will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint
-sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout
-fingerprint -sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?!
+
+ [Patch]
+
+ https://lists.ubuntu.com/archives/kernel-team/2020-October/113929.html
** Patch added:
"0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+attachment/5418376/+files/0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch
** Changed in: linux (Ubuntu)
Status: Incomplete => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898716
Title:
Please trust Canonical Livepatch Service kmod signing key
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
