| Message ID | 20230511185040.220555-1-tim.gardner@canonical.com |
|---|---|
| Headers | show |
| Series | CONFIG_DM_VERITY=m | expand |
On 23/05/11 12:50PM, Tim Gardner wrote: > BugLink: https://bugs.launchpad.net/bugs/2019040 > > SRU Justification > > [Impact] > > The kvm flavours currently do not enable dm-verity. This stops us from using > integrity protected and verified images in VMs using this kernel flavour. > > All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These > config changes should bubble down into the cloud derivative kernels. > > [Fix] > > Please consider enabling the following kconfigs: > > CONFIG_DM_VERITY > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > (The latter is needed to ensure that MoK keys can be used to verify dm-verity images > too, via the machine keyring linked to the secondary keyring) > > These are already enabled in the 'main' kernel config, and in other distros. > > As a specific and explicit use case, in the systemd project we want to test > functionality provided by systemd that needs these kconfigs on Ubuntu machines running > the kvm flavour kernel. > > Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since > it has performance impacts. > > [Regression Potential] > > MOK keys may not be correctly read. > > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 5/11/23 12:50 PM, Tim Gardner wrote: > BugLink: https://bugs.launchpad.net/bugs/2019040 > > SRU Justification > > [Impact] > > The kvm flavours currently do not enable dm-verity. This stops us from using > integrity protected and verified images in VMs using this kernel flavour. > > All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These > config changes should bubble down into the cloud derivative kernels. > > [Fix] > > Please consider enabling the following kconfigs: > > CONFIG_DM_VERITY > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > (The latter is needed to ensure that MoK keys can be used to verify dm-verity images > too, via the machine keyring linked to the secondary keyring) > > These are already enabled in the 'main' kernel config, and in other distros. > > As a specific and explicit use case, in the systemd project we want to test > functionality provided by systemd that needs these kconfigs on Ubuntu machines running > the kvm flavour kernel. > > Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since > it has performance impacts. > > [Regression Potential] > > MOK keys may not be correctly read. > > > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 11.05.23 20:50, Tim Gardner wrote: > BugLink: https://bugs.launchpad.net/bugs/2019040 > > SRU Justification > > [Impact] > > The kvm flavours currently do not enable dm-verity. This stops us from using > integrity protected and verified images in VMs using this kernel flavour. > > All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These > config changes should bubble down into the cloud derivative kernels. > > [Fix] > > Please consider enabling the following kconfigs: > > CONFIG_DM_VERITY > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > (The latter is needed to ensure that MoK keys can be used to verify dm-verity images > too, via the machine keyring linked to the secondary keyring) > > These are already enabled in the 'main' kernel config, and in other distros. > > As a specific and explicit use case, in the systemd project we want to test > functionality provided by systemd that needs these kconfigs on Ubuntu machines running > the kvm flavour kernel. > > Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since > it has performance impacts. > > [Regression Potential] > > MOK keys may not be correctly read. > > > > Applied to lunar,kinetic,jammy:linux/master-next. Thanks. -Stefan
Applied to jammy, kinetic, lunar linux-kvm master-next Thanks, - Luke On Thu, May 11, 2023 at 11:51 AM Tim Gardner <tim.gardner@canonical.com> wrote: > BugLink: https://bugs.launchpad.net/bugs/2019040 > > SRU Justification > > [Impact] > > The kvm flavours currently do not enable dm-verity. This stops us from > using > integrity protected and verified images in VMs using this kernel flavour. > > All of the master kernels should also have > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These > config changes should bubble down into the cloud derivative kernels. > > [Fix] > > Please consider enabling the following kconfigs: > > CONFIG_DM_VERITY > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > (The latter is needed to ensure that MoK keys can be used to verify > dm-verity images > too, via the machine keyring linked to the secondary keyring) > > These are already enabled in the 'main' kernel config, and in other > distros. > > As a specific and explicit use case, in the systemd project we want to test > functionality provided by systemd that needs these kconfigs on Ubuntu > machines running > the kvm flavour kernel. > > Note that I explicitly did not enable CONFIG_IMA as requested in the bug > report since > it has performance impacts. > > [Regression Potential] > > MOK keys may not be correctly read. > > > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
On 11.05.23 20:50, Tim Gardner wrote: > BugLink: https://bugs.launchpad.net/bugs/2019040 > > SRU Justification > > [Impact] > > The kvm flavours currently do not enable dm-verity. This stops us from using > integrity protected and verified images in VMs using this kernel flavour. > > All of the master kernels should also have CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING enabled. These > config changes should bubble down into the cloud derivative kernels. > > [Fix] > > Please consider enabling the following kconfigs: > > CONFIG_DM_VERITY > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG > CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING > > (The latter is needed to ensure that MoK keys can be used to verify dm-verity images > too, via the machine keyring linked to the secondary keyring) > > These are already enabled in the 'main' kernel config, and in other distros. > > As a specific and explicit use case, in the systemd project we want to test > functionality provided by systemd that needs these kconfigs on Ubuntu machines running > the kvm flavour kernel. > > Note that I explicitly did not enable CONFIG_IMA as requested in the bug report since > it has performance impacts. > > [Regression Potential] > > MOK keys may not be correctly read. > > > > This does not seem to be applied to Mantic, yet. On mantic:linux-kvm: I believe that is getting dropped with Mantic, so we could reject it for that.