diff mbox series

[{bionic,focal,groovy}:linux,3/4] UBUNTU: [Config] add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS

Message ID 20210218161754.1840146-8-apw@canonical.com
State New
Headers show
Series [bionic:linux,1/4] UBUNTU: [Config] enable CONFIG_MODVERSIONS=y | expand

Commit Message

Andy Whitcroft Feb. 18, 2021, 4:17 p.m. UTC 
From: Dimitri John Ledkov <xnox@ubuntu.com>

Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
livepatch modules signed by Canonical are trusted out of the box, on
locked-down secureboot systems.

BugLink: https://bugs.launchpad.net/bugs/1898716
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
[apw@canonical.com: move certification to cert framework.]
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
 1 file changed, 121 insertions(+)
 create mode 100644 debian/certs/canonical-livepatch-all.pem

Comments

Tim Gardner Feb. 18, 2021, 7:12 p.m. UTC | #1 
The way that kernels are signed in the deep, dark recesses of the 
private kernel PPA has always been a bit of black magic to me. Given my 
ignorance, exposing keys like this in source code seems like a bad idea. 
Can you explain how they are being used ? Will they ever expire or change ?

rtg

On 2/18/21 9:17 AM, Andy Whitcroft wrote:
> From: Dimitri John Ledkov <xnox@ubuntu.com>
> 
> Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
> livepatch modules signed by Canonical are trusted out of the box, on
> locked-down secureboot systems.
> 
> BugLink: https://bugs.launchpad.net/bugs/1898716
> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
> [apw@canonical.com: move certification to cert framework.]
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>   debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
>   1 file changed, 121 insertions(+)
>   create mode 100644 debian/certs/canonical-livepatch-all.pem
> 
> diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
> new file mode 100644
> index 000000000000..3f360f74344d
> --- /dev/null
> +++ b/debian/certs/canonical-livepatch-all.pem
> @@ -0,0 +1,121 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number:
> +            c7:7e:51:6a:1c:25:cd:40
> +        Signature Algorithm: sha512WithRSAEncryption
> +        Issuer: CN = Canonical Ltd. Live Patch Signing
> +        Validity
> +            Not Before: Jul 18 23:41:27 2016 GMT
> +            Not After : Jul 16 23:41:27 2026 GMT
> +        Subject: CN = Canonical Ltd. Live Patch Signing
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                RSA Public-Key: (4096 bit)
> +                Modulus:
> +                    00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
> +                    46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
> +                    2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
> +                    93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
> +                    13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
> +                    48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
> +                    38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
> +                    02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
> +                    30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
> +                    5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
> +                    e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
> +                    f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
> +                    13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
> +                    2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
> +                    7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
> +                    da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
> +                    bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
> +                    6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
> +                    38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
> +                    bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
> +                    51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
> +                    8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
> +                    21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
> +                    f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
> +                    52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
> +                    cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
> +                    c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
> +                    4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
> +                    25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
> +                    44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
> +                    03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
> +                    f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
> +                    00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
> +                    f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
> +                    5f:e5:a3
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Key Usage:
> +                Digital Signature
> +            X509v3 Subject Key Identifier:
> +                14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> +            X509v3 Authority Key Identifier:
> +                keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> +
> +    Signature Algorithm: sha512WithRSAEncryption
> +         30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
> +         14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
> +         54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
> +         af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
> +         4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
> +         86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
> +         b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
> +         22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
> +         a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
> +         25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
> +         30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
> +         9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
> +         90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
> +         93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
> +         1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
> +         41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
> +         29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
> +         f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
> +         37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
> +         1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
> +         8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
> +         ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
> +         15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
> +         43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
> +         e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
> +         6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
> +         d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
> +         95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
> +         76:ed:66:38:e2:70:08:00
> +-----BEGIN CERTIFICATE-----
> +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
> +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
> +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
> +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
> +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
> +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
> +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
> +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
> +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
> +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
> +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
> +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
> +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
> +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
> +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
> +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
> +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
> +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
> +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
> +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
> +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
> +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
> +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
> +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
> +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
> +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
> +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
> +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
> +-----END CERTIFICATE-----
>
Seth Forshee Feb. 19, 2021, 2:38 p.m. UTC | #2 
On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote:
> The way that kernels are signed in the deep, dark recesses of the private
> kernel PPA has always been a bit of black magic to me. Given my ignorance,
> exposing keys like this in source code seems like a bad idea. Can you
> explain how they are being used ? Will they ever expire or change ?

Effectively both are module signing keys. The keys are not "exposed."
The public key will be baked into the kernel while the private key
remains secret. The ephemeral build-time module signing key also has the
public key statically built into the kernel keyring; only the private
key is discarded.

When these need to be rotated it's just a matter of putting the new keys
in the next upload, at least on the kernel side.

There probably is a small security cost to using these keys. At minimum
a compromise of one of the keys affects more kernels. But this is also
the case for the secure boot signing keys, so imo the impact is pretty
marginal.

Seth

> 
> rtg
> 
> On 2/18/21 9:17 AM, Andy Whitcroft wrote:
> > From: Dimitri John Ledkov <xnox@ubuntu.com>
> > 
> > Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
> > livepatch modules signed by Canonical are trusted out of the box, on
> > locked-down secureboot systems.
> > 
> > BugLink: https://bugs.launchpad.net/bugs/1898716
> > Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
> > [apw@canonical.com: move certification to cert framework.]
> > Signed-off-by: Andy Whitcroft <apw@canonical.com>
> > ---
> >   debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
> >   1 file changed, 121 insertions(+)
> >   create mode 100644 debian/certs/canonical-livepatch-all.pem
> > 
> > diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
> > new file mode 100644
> > index 000000000000..3f360f74344d
> > --- /dev/null
> > +++ b/debian/certs/canonical-livepatch-all.pem
> > @@ -0,0 +1,121 @@
> > +Certificate:
> > +    Data:
> > +        Version: 3 (0x2)
> > +        Serial Number:
> > +            c7:7e:51:6a:1c:25:cd:40
> > +        Signature Algorithm: sha512WithRSAEncryption
> > +        Issuer: CN = Canonical Ltd. Live Patch Signing
> > +        Validity
> > +            Not Before: Jul 18 23:41:27 2016 GMT
> > +            Not After : Jul 16 23:41:27 2026 GMT
> > +        Subject: CN = Canonical Ltd. Live Patch Signing
> > +        Subject Public Key Info:
> > +            Public Key Algorithm: rsaEncryption
> > +                RSA Public-Key: (4096 bit)
> > +                Modulus:
> > +                    00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
> > +                    46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
> > +                    2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
> > +                    93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
> > +                    13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
> > +                    48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
> > +                    38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
> > +                    02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
> > +                    30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
> > +                    5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
> > +                    e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
> > +                    f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
> > +                    13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
> > +                    2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
> > +                    7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
> > +                    da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
> > +                    bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
> > +                    6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
> > +                    38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
> > +                    bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
> > +                    51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
> > +                    8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
> > +                    21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
> > +                    f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
> > +                    52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
> > +                    cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
> > +                    c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
> > +                    4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
> > +                    25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
> > +                    44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
> > +                    03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
> > +                    f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
> > +                    00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
> > +                    f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
> > +                    5f:e5:a3
> > +                Exponent: 65537 (0x10001)
> > +        X509v3 extensions:
> > +            X509v3 Basic Constraints: critical
> > +                CA:FALSE
> > +            X509v3 Key Usage:
> > +                Digital Signature
> > +            X509v3 Subject Key Identifier:
> > +                14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> > +            X509v3 Authority Key Identifier:
> > +                keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> > +
> > +    Signature Algorithm: sha512WithRSAEncryption
> > +         30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
> > +         14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
> > +         54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
> > +         af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
> > +         4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
> > +         86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
> > +         b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
> > +         22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
> > +         a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
> > +         25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
> > +         30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
> > +         9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
> > +         90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
> > +         93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
> > +         1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
> > +         41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
> > +         29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
> > +         f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
> > +         37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
> > +         1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
> > +         8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
> > +         ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
> > +         15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
> > +         43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
> > +         e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
> > +         6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
> > +         d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
> > +         95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
> > +         76:ed:66:38:e2:70:08:00
> > +-----BEGIN CERTIFICATE-----
> > +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
> > +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
> > +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
> > +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
> > +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
> > +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
> > +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
> > +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
> > +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
> > +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
> > +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
> > +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
> > +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
> > +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
> > +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
> > +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
> > +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
> > +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
> > +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
> > +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
> > +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
> > +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
> > +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
> > +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
> > +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
> > +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
> > +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
> > +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
> > +-----END CERTIFICATE-----
> > 
> 
> -- 
> -----------
> Tim Gardner
> Canonical, Inc
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Tim Gardner Feb. 19, 2021, 2:54 p.m. UTC | #3 
On 2/19/21 7:38 AM, Seth Forshee wrote:
> On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote:
>> The way that kernels are signed in the deep, dark recesses of the private
>> kernel PPA has always been a bit of black magic to me. Given my ignorance,
>> exposing keys like this in source code seems like a bad idea. Can you
>> explain how they are being used ? Will they ever expire or change ?
> 
> Effectively both are module signing keys. The keys are not "exposed."
> The public key will be baked into the kernel while the private key
> remains secret. The ephemeral build-time module signing key also has the
> public key statically built into the kernel keyring; only the private
> key is discarded.
> 
> When these need to be rotated it's just a matter of putting the new keys
> in the next upload, at least on the kernel side.
> 
> There probably is a small security cost to using these keys. At minimum
> a compromise of one of the keys affects more kernels. But this is also
> the case for the secure boot signing keys, so imo the impact is pretty
> marginal.
> 
> Seth
> 

I think I understand. I had not considered that the signing process is 
now using a static key pair instead of the kernel build time ephemeral 
key. We could dispense with the ephemeral key altogether and achieve the 
same result. For instance, it might be useful for signing DKMS modules 
as well. Wouldn't that reduce some of the current build and packaging 
complexity for out of tree modules supported by Ubuntu ?

rtg

>>
>> rtg
>>
>> On 2/18/21 9:17 AM, Andy Whitcroft wrote:
>>> From: Dimitri John Ledkov <xnox@ubuntu.com>
>>>
>>> Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
>>> livepatch modules signed by Canonical are trusted out of the box, on
>>> locked-down secureboot systems.
>>>
>>> BugLink: https://bugs.launchpad.net/bugs/1898716
>>> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
>>> [apw@canonical.com: move certification to cert framework.]
>>> Signed-off-by: Andy Whitcroft <apw@canonical.com>
>>> ---
>>>    debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
>>>    1 file changed, 121 insertions(+)
>>>    create mode 100644 debian/certs/canonical-livepatch-all.pem
>>>
>>> diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
>>> new file mode 100644
>>> index 000000000000..3f360f74344d
>>> --- /dev/null
>>> +++ b/debian/certs/canonical-livepatch-all.pem
>>> @@ -0,0 +1,121 @@
>>> +Certificate:
>>> +    Data:
>>> +        Version: 3 (0x2)
>>> +        Serial Number:
>>> +            c7:7e:51:6a:1c:25:cd:40
>>> +        Signature Algorithm: sha512WithRSAEncryption
>>> +        Issuer: CN = Canonical Ltd. Live Patch Signing
>>> +        Validity
>>> +            Not Before: Jul 18 23:41:27 2016 GMT
>>> +            Not After : Jul 16 23:41:27 2026 GMT
>>> +        Subject: CN = Canonical Ltd. Live Patch Signing
>>> +        Subject Public Key Info:
>>> +            Public Key Algorithm: rsaEncryption
>>> +                RSA Public-Key: (4096 bit)
>>> +                Modulus:
>>> +                    00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
>>> +                    46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
>>> +                    2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
>>> +                    93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
>>> +                    13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
>>> +                    48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
>>> +                    38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
>>> +                    02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
>>> +                    30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
>>> +                    5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
>>> +                    e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
>>> +                    f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
>>> +                    13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
>>> +                    2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
>>> +                    7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
>>> +                    da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
>>> +                    bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
>>> +                    6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
>>> +                    38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
>>> +                    bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
>>> +                    51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
>>> +                    8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
>>> +                    21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
>>> +                    f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
>>> +                    52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
>>> +                    cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
>>> +                    c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
>>> +                    4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
>>> +                    25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
>>> +                    44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
>>> +                    03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
>>> +                    f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
>>> +                    00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
>>> +                    f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
>>> +                    5f:e5:a3
>>> +                Exponent: 65537 (0x10001)
>>> +        X509v3 extensions:
>>> +            X509v3 Basic Constraints: critical
>>> +                CA:FALSE
>>> +            X509v3 Key Usage:
>>> +                Digital Signature
>>> +            X509v3 Subject Key Identifier:
>>> +                14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
>>> +            X509v3 Authority Key Identifier:
>>> +                keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
>>> +
>>> +    Signature Algorithm: sha512WithRSAEncryption
>>> +         30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
>>> +         14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
>>> +         54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
>>> +         af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
>>> +         4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
>>> +         86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
>>> +         b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
>>> +         22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
>>> +         a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
>>> +         25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
>>> +         30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
>>> +         9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
>>> +         90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
>>> +         93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
>>> +         1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
>>> +         41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
>>> +         29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
>>> +         f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
>>> +         37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
>>> +         1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
>>> +         8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
>>> +         ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
>>> +         15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
>>> +         43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
>>> +         e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
>>> +         6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
>>> +         d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
>>> +         95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
>>> +         76:ed:66:38:e2:70:08:00
>>> +-----BEGIN CERTIFICATE-----
>>> +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
>>> +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
>>> +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
>>> +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
>>> +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
>>> +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
>>> +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
>>> +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
>>> +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
>>> +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
>>> +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
>>> +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
>>> +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
>>> +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
>>> +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
>>> +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
>>> +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
>>> +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
>>> +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
>>> +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
>>> +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
>>> +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
>>> +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
>>> +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
>>> +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
>>> +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
>>> +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
>>> +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
>>> +-----END CERTIFICATE-----
>>>
>>
>> -- 
>> -----------
>> Tim Gardner
>> Canonical, Inc
>>
>> -- 
>> kernel-team mailing list
>> kernel-team@lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Seth Forshee Feb. 19, 2021, 4:46 p.m. UTC | #4 
On Fri, Feb 19, 2021 at 07:54:05AM -0700, Tim Gardner wrote:
> 
> 
> On 2/19/21 7:38 AM, Seth Forshee wrote:
> > On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote:
> > > The way that kernels are signed in the deep, dark recesses of the private
> > > kernel PPA has always been a bit of black magic to me. Given my ignorance,
> > > exposing keys like this in source code seems like a bad idea. Can you
> > > explain how they are being used ? Will they ever expire or change ?
> > 
> > Effectively both are module signing keys. The keys are not "exposed."
> > The public key will be baked into the kernel while the private key
> > remains secret. The ephemeral build-time module signing key also has the
> > public key statically built into the kernel keyring; only the private
> > key is discarded.
> > 
> > When these need to be rotated it's just a matter of putting the new keys
> > in the next upload, at least on the kernel side.
> > 
> > There probably is a small security cost to using these keys. At minimum
> > a compromise of one of the keys affects more kernels. But this is also
> > the case for the secure boot signing keys, so imo the impact is pretty
> > marginal.
> > 
> > Seth
> > 
> 
> I think I understand. I had not considered that the signing process is now
> using a static key pair instead of the kernel build time ephemeral key.

We do still use the build-time ephemeral key for the modules in the
linux-modules packages, that will not change. I'm assuming we currently
use a static key for livepatch, I don't actually know for sure. The
signing of the kernel images themselves does not use an ephemeral key
though.

> We
> could dispense with the ephemeral key altogether and achieve the same
> result. For instance, it might be useful for signing DKMS modules as well.
> Wouldn't that reduce some of the current build and packaging complexity for
> out of tree modules supported by Ubuntu ?

Remember that we'd have to build new dkms modules for each new kernel
version we upload, across all the kernels we support. We certainly
wouldn't want to do that for a bunch of individial dkms packages. We
could build them alongside the kernel like we do with zfs, but that
comes with its own pain points (which is at least part of the impetus
behind the module signing key). So another l-r-m style package would be
the least bad option for prebuilt dkms modules. It wouldn't reduce
packaging complexity as we'd likely build the modules from the dkms
packages like we do for l-r-m. The real benefit would be for users who
wouldn't have to build the modules locally and enrol a MOK.

Seth
diff mbox series

Patch

diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
new file mode 100644
index 000000000000..3f360f74344d
--- /dev/null
+++ b/debian/certs/canonical-livepatch-all.pem
@@ -0,0 +1,121 @@ 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            c7:7e:51:6a:1c:25:cd:40
+        Signature Algorithm: sha512WithRSAEncryption
+        Issuer: CN = Canonical Ltd. Live Patch Signing
+        Validity
+            Not Before: Jul 18 23:41:27 2016 GMT
+            Not After : Jul 16 23:41:27 2026 GMT
+        Subject: CN = Canonical Ltd. Live Patch Signing
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (4096 bit)
+                Modulus:
+                    00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
+                    46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
+                    2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
+                    93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
+                    13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
+                    48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
+                    38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
+                    02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
+                    30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
+                    5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
+                    e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
+                    f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
+                    13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
+                    2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
+                    7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
+                    da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
+                    bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
+                    6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
+                    38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
+                    bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
+                    51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
+                    8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
+                    21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
+                    f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
+                    52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
+                    cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
+                    c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
+                    4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
+                    25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
+                    44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
+                    03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
+                    f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
+                    00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
+                    f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
+                    5f:e5:a3
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: 
+                Digital Signature
+            X509v3 Subject Key Identifier: 
+                14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
+            X509v3 Authority Key Identifier: 
+                keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
+
+    Signature Algorithm: sha512WithRSAEncryption
+         30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
+         14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
+         54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
+         af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
+         4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
+         86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
+         b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
+         22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
+         a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
+         25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
+         30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
+         9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
+         90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
+         93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
+         1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
+         41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
+         29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
+         f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
+         37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
+         1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
+         8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
+         ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
+         15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
+         43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
+         e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
+         6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
+         d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
+         95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
+         76:ed:66:38:e2:70:08:00
+-----BEGIN CERTIFICATE-----
+MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
+BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
+MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
+IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
+k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
+Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
+mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
+wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
+Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
+vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
+iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
+9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
+4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
+k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
+A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
+8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
+9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
+VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
+fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
+KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
+MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
+i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
+XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
+N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
+fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
+7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
+0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
+-----END CERTIFICATE-----