[SRU,OEM-5.17,0/1] enable Mok key support for v5.17

Message ID	20220510093619.17147-1-ivan.hu@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Ivan Hu <ivan.hu@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-5.17][PATCH 0/1] enable Mok key support for v5.17 Date: Tue, 10 May 2022 17:36:18 +0800 Message-Id: <20220510093619.17147-1-ivan.hu@canonical.com> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	enable Mok key support for v5.17 \| expand [SRU,OEM-5.17,0/1] enable Mok key support for v5.17 [SRU,OEM-5.17,1/1] UBUNTU: [Config] enable configs for fixing 5.17 kernel won't load mok

Message ID

20220510093619.17147-1-ivan.hu@canonical.com

Headers

From: Ivan Hu <ivan.hu@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][OEM-5.17][PATCH 0/1] enable Mok key support for v5.17
Date: Tue, 10 May 2022 17:36:18 +0800
Message-Id: <20220510093619.17147-1-ivan.hu@canonical.com>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

enable Mok key support for v5.17 | expand

Message

Ivan Hu May 10, 2022, 9:36 a.m. UTC

BugLink: https://bugs.launchpad.net/bugs/1972802

[Impact]
Mok keys is not trusted after kernel 5.17

[Fix]
Enable the CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT and CONFIG_IMA_ARCH_POLICY for
fixing the patch "[patch] integrity: Do not load MOK and MOKx when secure boot
be disabled" was added to check if secureboot enabled for trusting the MOK key.

[Test]
Enroll Mok key and use it to sign kernel modules, make sure secure boot is on
and load the kernel module by either modprobe or insmod.

[Where problems could occur]
Low. only affect the checking secureboot enable function.

Ivan Hu (1):
  UBUNTU: [Config] enable configs for fixing 5.17 kernel won't load mok

 debian.oem/config/config.common.ubuntu | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

You-Sheng Yang May 10, 2022, 4:29 p.m. UTC | #1

Resubmitted V2 for both oem-5.17 and unstable with annotations addressed.

On Tue, May 10, 2022 at 5:36 PM Ivan Hu <ivan.hu@canonical.com> wrote:
>
> BugLink: https://bugs.launchpad.net/bugs/1972802
>
> [Impact]
> Mok keys is not trusted after kernel 5.17
>
> [Fix]
> Enable the CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT and CONFIG_IMA_ARCH_POLICY for
> fixing the patch "[patch] integrity: Do not load MOK and MOKx when secure boot
> be disabled" was added to check if secureboot enabled for trusting the MOK key.
>
> [Test]
> Enroll Mok key and use it to sign kernel modules, make sure secure boot is on
> and load the kernel module by either modprobe or insmod.
>
> [Where problems could occur]
> Low. only affect the checking secureboot enable function.
>
> Ivan Hu (1):
>   UBUNTU: [Config] enable configs for fixing 5.17 kernel won't load mok
>
>  debian.oem/config/config.common.ubuntu | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team