Message ID | 20220315182615.160949-1-dimitri.ledkov@canonical.com |
---|---|
State | New |
Headers | show |
Series | [JAMMY,FOCAL,BIONIC,linux] UBUNTU: [Packaging] Rotate to 2021v1 signing key | expand |
On 15.03.22 19:26, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1964990 > > Revoke 2017, 2018, 2019 signing certificates for kexec/kdump > purposes. > > 2012 signing certificate was already revoked for kexec/kdump purposes. > After this patch is applied, certificates corresponding to CRL serials > 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump > purposes. This patch prevents this kernel to kexec/kdump using kernels > signed by those certifictes when lockdown is in place. > > 05 Ubuntu Core 2019 signing certificate is not included as revoked, as > that certificate signs kernel.efi apps only which linux doesn't know > not know how to use with kexec/kdump. > > Kernels that include this patch should be routed via 2021v1 signing, > to preserve kexec/kdump functionality under lockdown. > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- Just for completeness: this is not including Impish because that would be EOL by the time it becomes relevant? -Stefan > .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++ > .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++ > .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++ > 3 files changed, 258 insertions(+) > create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem > create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem > create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem > > diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem > new file mode 100644 > index 0000000000..d26474ec3d > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 2 (0x2) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Sep 26 21:52:11 2017 GMT > + Not After : Sep 25 21:52:11 2047 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + Public-Key: (2048 bit) > + Modulus: > + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42: > + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a: > + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4: > + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6: > + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a: > + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58: > + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7: > + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65: > + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29: > + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6: > + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24: > + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38: > + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2: > + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d: > + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f: > + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88: > + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad: > + 04:ff > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03 > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1: > + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd: > + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88: > + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7: > + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14: > + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc: > + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e: > + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2: > + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03: > + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4: > + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57: > + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f: > + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b: > + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73: > + 87:d0:e0:d8 > +-----BEGIN CERTIFICATE----- > +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy > +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4 > +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP > +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep > +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1 > +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8 > +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/ > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX > +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo > +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk > +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3 > +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU > +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL > +3MuQN9UoJHOH0ODY > +-----END CERTIFICATE----- > diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem > new file mode 100644 > index 0000000000..76e6bf31e4 > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 3 (0x3) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Oct 26 18:31:14 2018 GMT > + Not After : Oct 24 18:31:14 2048 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + Public-Key: (2048 bit) > + Modulus: > + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f: > + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d: > + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e: > + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef: > + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54: > + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8: > + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd: > + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b: > + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75: > + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80: > + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8: > + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d: > + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6: > + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf: > + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff: > + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45: > + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15: > + 2e:b5 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc: > + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17: > + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa: > + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8: > + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f: > + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0: > + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74: > + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c: > + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9: > + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef: > + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b: > + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad: > + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d: > + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85: > + a8:48:16:e2 > +-----BEGIN CERTIFICATE----- > +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx > +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG > +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw > +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc > +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89 > +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT > +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o > +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet > +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd > +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH > +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk > +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV > +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA > +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z > +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq > +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc > +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh > +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ > +YKv/hXcPy0ciybKFqEgW4g== > +-----END CERTIFICATE----- > diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem > new file mode 100644 > index 0000000000..dc6e4b9695 > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 4 (0x4) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Sep 18 16:10:17 2019 GMT > + Not After : Sep 16 16:10:17 2049 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public-Key: (2048 bit) > + Modulus: > + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8: > + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1: > + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75: > + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3: > + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3: > + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60: > + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5: > + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af: > + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c: > + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b: > + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c: > + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40: > + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42: > + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74: > + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07: > + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40: > + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77: > + a5:37 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8 > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f: > + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd: > + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70: > + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad: > + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee: > + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9: > + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db: > + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c: > + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b: > + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9: > + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7: > + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3: > + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01: > + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82: > + e1:c4:5f:db > +-----BEGIN CERTIFICATE----- > +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx > +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9 > +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP > +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v > +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp > +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd > +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3 > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR > +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn > +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1 > +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ > +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm > +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj > +wL0N2G46KYLhxF/b > +-----END CERTIFICATE-----
On Wed, 16 Mar 2022 at 09:13, Stefan Bader <stefan.bader@canonical.com> wrote: > > On 15.03.22 19:26, Dimitri John Ledkov wrote: > > BugLink: https://bugs.launchpad.net/bugs/1964990 > > > > Revoke 2017, 2018, 2019 signing certificates for kexec/kdump > > purposes. > > > > 2012 signing certificate was already revoked for kexec/kdump purposes. > > After this patch is applied, certificates corresponding to CRL serials > > 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump > > purposes. This patch prevents this kernel to kexec/kdump using kernels > > signed by those certifictes when lockdown is in place. > > > > 05 Ubuntu Core 2019 signing certificate is not included as revoked, as > > that certificate signs kernel.efi apps only which linux doesn't know > > not know how to use with kexec/kdump. > > > > Kernels that include this patch should be routed via 2021v1 signing, > > to preserve kexec/kdump functionality under lockdown. > > > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > Acked-by: Stefan Bader <stefan.bader@canonical.com> > > --- > > Just for completeness: this is not including Impish because that would be EOL by > the time it becomes relevant? > It is not interesting to rotate signing keys of impish. However, there are many kernels in focal that are based off impish one's and those are interesting to rotate to a new signing key. Thus in hindsight, this patch should be applied to impish too. Regards, Dimitri. > -Stefan > > > .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++ > > .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++ > > .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++ > > 3 files changed, 258 insertions(+) > > create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem > > create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem > > create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem > > > > diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem > > new file mode 100644 > > index 0000000000..d26474ec3d > > --- /dev/null > > +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem > > @@ -0,0 +1,86 @@ > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 2 (0x2) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > > + Validity > > + Not Before: Sep 26 21:52:11 2017 GMT > > + Not After : Sep 25 21:52:11 2047 GMT > > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017) > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + Public-Key: (2048 bit) > > + Modulus: > > + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42: > > + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a: > > + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4: > > + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6: > > + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a: > > + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58: > > + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7: > > + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65: > > + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29: > > + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6: > > + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24: > > + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38: > > + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2: > > + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d: > > + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f: > > + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88: > > + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad: > > + 04:ff > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:FALSE > > + X509v3 Extended Key Usage: > > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > > + Netscape Comment: > > + OpenSSL Generated Certificate > > + X509v3 Subject Key Identifier: > > + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03 > > + X509v3 Authority Key Identifier: > > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > > + > > + Signature Algorithm: sha256WithRSAEncryption > > + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1: > > + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd: > > + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88: > > + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7: > > + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14: > > + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc: > > + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e: > > + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2: > > + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03: > > + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4: > > + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57: > > + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f: > > + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b: > > + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73: > > + 87:d0:e0:d8 > > +-----BEGIN CERTIFICATE----- > > +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy > > +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw > > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4 > > +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP > > +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep > > +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1 > > +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8 > > +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/ > > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > > +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY > > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX > > +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo > > +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk > > +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3 > > +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU > > +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL > > +3MuQN9UoJHOH0ODY > > +-----END CERTIFICATE----- > > diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem > > new file mode 100644 > > index 0000000000..76e6bf31e4 > > --- /dev/null > > +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem > > @@ -0,0 +1,86 @@ > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 3 (0x3) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > > + Validity > > + Not Before: Oct 26 18:31:14 2018 GMT > > + Not After : Oct 24 18:31:14 2048 GMT > > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018) > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + Public-Key: (2048 bit) > > + Modulus: > > + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f: > > + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d: > > + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e: > > + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef: > > + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54: > > + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8: > > + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd: > > + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b: > > + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75: > > + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80: > > + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8: > > + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d: > > + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6: > > + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf: > > + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff: > > + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45: > > + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15: > > + 2e:b5 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:FALSE > > + X509v3 Extended Key Usage: > > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > > + Netscape Comment: > > + OpenSSL Generated Certificate > > + X509v3 Subject Key Identifier: > > + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B > > + X509v3 Authority Key Identifier: > > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > > + > > + Signature Algorithm: sha256WithRSAEncryption > > + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc: > > + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17: > > + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa: > > + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8: > > + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f: > > + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0: > > + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74: > > + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c: > > + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9: > > + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef: > > + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b: > > + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad: > > + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d: > > + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85: > > + a8:48:16:e2 > > +-----BEGIN CERTIFICATE----- > > +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx > > +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG > > +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw > > +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc > > +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89 > > +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT > > +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o > > +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet > > +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd > > +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH > > +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk > > +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV > > +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA > > +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z > > +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq > > +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc > > +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh > > +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ > > +YKv/hXcPy0ciybKFqEgW4g== > > +-----END CERTIFICATE----- > > diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem > > new file mode 100644 > > index 0000000000..dc6e4b9695 > > --- /dev/null > > +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem > > @@ -0,0 +1,86 @@ > > +Certificate: > > + Data: > > + Version: 3 (0x2) > > + Serial Number: 4 (0x4) > > + Signature Algorithm: sha256WithRSAEncryption > > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > > + Validity > > + Not Before: Sep 18 16:10:17 2019 GMT > > + Not After : Sep 16 16:10:17 2049 GMT > > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019) > > + Subject Public Key Info: > > + Public Key Algorithm: rsaEncryption > > + RSA Public-Key: (2048 bit) > > + Modulus: > > + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8: > > + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1: > > + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75: > > + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3: > > + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3: > > + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60: > > + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5: > > + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af: > > + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c: > > + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b: > > + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c: > > + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40: > > + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42: > > + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74: > > + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07: > > + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40: > > + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77: > > + a5:37 > > + Exponent: 65537 (0x10001) > > + X509v3 extensions: > > + X509v3 Basic Constraints: critical > > + CA:FALSE > > + X509v3 Extended Key Usage: > > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > > + Netscape Comment: > > + OpenSSL Generated Certificate > > + X509v3 Subject Key Identifier: > > + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8 > > + X509v3 Authority Key Identifier: > > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > > + > > + Signature Algorithm: sha256WithRSAEncryption > > + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f: > > + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd: > > + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70: > > + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad: > > + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee: > > + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9: > > + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db: > > + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c: > > + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b: > > + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9: > > + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7: > > + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3: > > + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01: > > + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82: > > + e1:c4:5f:db > > +-----BEGIN CERTIFICATE----- > > +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx > > +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw > > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9 > > +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP > > +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v > > +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp > > +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd > > +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3 > > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > > +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY > > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR > > +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn > > +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1 > > +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ > > +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm > > +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj > > +wL0N2G46KYLhxF/b > > +-----END CERTIFICATE----- >
On 15.03.22 19:26, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1964990 > > Revoke 2017, 2018, 2019 signing certificates for kexec/kdump > purposes. > > 2012 signing certificate was already revoked for kexec/kdump purposes. > After this patch is applied, certificates corresponding to CRL serials > 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump > purposes. This patch prevents this kernel to kexec/kdump using kernels > signed by those certifictes when lockdown is in place. > > 05 Ubuntu Core 2019 signing certificate is not included as revoked, as > that certificate signs kernel.efi apps only which linux doesn't know > not know how to use with kexec/kdump. > > Kernels that include this patch should be routed via 2021v1 signing, > to preserve kexec/kdump functionality under lockdown. Need to make sure this signing route ^ is setup before the patch is applied. > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++ > .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++ > .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++ > 3 files changed, 258 insertions(+) > create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem > create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem > create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem > > diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem > new file mode 100644 > index 0000000000..d26474ec3d > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 2 (0x2) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Sep 26 21:52:11 2017 GMT > + Not After : Sep 25 21:52:11 2047 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + Public-Key: (2048 bit) > + Modulus: > + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42: > + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a: > + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4: > + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6: > + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a: > + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58: > + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7: > + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65: > + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29: > + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6: > + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24: > + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38: > + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2: > + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d: > + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f: > + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88: > + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad: > + 04:ff > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03 > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1: > + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd: > + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88: > + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7: > + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14: > + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc: > + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e: > + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2: > + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03: > + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4: > + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57: > + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f: > + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b: > + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73: > + 87:d0:e0:d8 > +-----BEGIN CERTIFICATE----- > +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy > +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4 > +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP > +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep > +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1 > +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8 > +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/ > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX > +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo > +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk > +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3 > +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU > +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL > +3MuQN9UoJHOH0ODY > +-----END CERTIFICATE----- > diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem > new file mode 100644 > index 0000000000..76e6bf31e4 > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 3 (0x3) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Oct 26 18:31:14 2018 GMT > + Not After : Oct 24 18:31:14 2048 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + Public-Key: (2048 bit) > + Modulus: > + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f: > + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d: > + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e: > + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef: > + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54: > + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8: > + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd: > + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b: > + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75: > + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80: > + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8: > + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d: > + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6: > + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf: > + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff: > + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45: > + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15: > + 2e:b5 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc: > + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17: > + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa: > + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8: > + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f: > + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0: > + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74: > + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c: > + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9: > + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef: > + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b: > + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad: > + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d: > + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85: > + a8:48:16:e2 > +-----BEGIN CERTIFICATE----- > +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx > +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG > +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw > +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc > +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89 > +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT > +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o > +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet > +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd > +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH > +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk > +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV > +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA > +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z > +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq > +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc > +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh > +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ > +YKv/hXcPy0ciybKFqEgW4g== > +-----END CERTIFICATE----- > diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem > new file mode 100644 > index 0000000000..dc6e4b9695 > --- /dev/null > +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem > @@ -0,0 +1,86 @@ > +Certificate: > + Data: > + Version: 3 (0x2) > + Serial Number: 4 (0x4) > + Signature Algorithm: sha256WithRSAEncryption > + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority > + Validity > + Not Before: Sep 18 16:10:17 2019 GMT > + Not After : Sep 16 16:10:17 2049 GMT > + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019) > + Subject Public Key Info: > + Public Key Algorithm: rsaEncryption > + RSA Public-Key: (2048 bit) > + Modulus: > + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8: > + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1: > + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75: > + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3: > + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3: > + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60: > + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5: > + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af: > + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c: > + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b: > + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c: > + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40: > + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42: > + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74: > + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07: > + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40: > + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77: > + a5:37 > + Exponent: 65537 (0x10001) > + X509v3 extensions: > + X509v3 Basic Constraints: critical > + CA:FALSE > + X509v3 Extended Key Usage: > + Code Signing, 1.3.6.1.4.1.311.10.3.6 > + Netscape Comment: > + OpenSSL Generated Certificate > + X509v3 Subject Key Identifier: > + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8 > + X509v3 Authority Key Identifier: > + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 > + > + Signature Algorithm: sha256WithRSAEncryption > + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f: > + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd: > + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70: > + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad: > + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee: > + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9: > + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db: > + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c: > + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b: > + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9: > + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7: > + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3: > + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01: > + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82: > + e1:c4:5f:db > +-----BEGIN CERTIFICATE----- > +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx > +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9 > +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP > +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v > +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp > +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd > +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3 > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy > +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR > +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn > +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1 > +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ > +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm > +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj > +wL0N2G46KYLhxF/b > +-----END CERTIFICATE-----
On Tue, Mar 15, 2022 at 06:26:15PM +0000, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1964990
diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem new file mode 100644 index 0000000000..d26474ec3d --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Sep 26 21:52:11 2017 GMT + Not After : Sep 25 21:52:11 2047 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42: + e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a: + 74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4: + 44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6: + 12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a: + 4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58: + 35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7: + c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65: + 71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29: + 4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6: + 37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24: + 99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38: + 99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2: + 03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d: + b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f: + b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88: + 9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad: + 04:ff + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1: + d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd: + a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88: + fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7: + c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14: + 51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc: + 0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e: + 61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2: + c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03: + 6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4: + 50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57: + f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f: + b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b: + 20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73: + 87:d0:e0:d8 +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4 +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1 +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8 +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/ +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3 +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL +3MuQN9UoJHOH0ODY +-----END CERTIFICATE----- diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem new file mode 100644 index 0000000000..76e6bf31e4 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Oct 26 18:31:14 2018 GMT + Not After : Oct 24 18:31:14 2048 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f: + 6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d: + 92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e: + 56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef: + 3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54: + bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8: + 22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd: + 9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b: + fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75: + 99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80: + f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8: + 65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d: + ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6: + d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf: + e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff: + df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45: + 99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15: + 2e:b5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc: + 60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17: + bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa: + b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8: + 91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f: + 0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0: + fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74: + 97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c: + 4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9: + 50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef: + 84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b: + fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad: + e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d: + 80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85: + a8:48:16:e2 +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89 +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ +YKv/hXcPy0ciybKFqEgW4g== +-----END CERTIFICATE----- diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem new file mode 100644 index 0000000000..dc6e4b9695 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority + Validity + Not Before: Sep 18 16:10:17 2019 GMT + Not After : Sep 16 16:10:17 2049 GMT + Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019) + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8: + 58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1: + 1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75: + 5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3: + 9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3: + 35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60: + d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5: + 22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af: + ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c: + ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b: + a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c: + f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40: + 55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42: + 29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74: + 34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07: + cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40: + d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77: + a5:37 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f: + 24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd: + d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70: + 88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad: + 15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee: + 22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9: + f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db: + 2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c: + 2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b: + a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9: + 7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7: + 23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3: + 59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01: + 24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82: + e1:c4:5f:db +-----BEGIN CERTIFICATE----- +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9 +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3 +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1 +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj +wL0N2G46KYLhxF/b +-----END CERTIFICATE-----
BugLink: https://bugs.launchpad.net/bugs/1964990 Revoke 2017, 2018, 2019 signing certificates for kexec/kdump purposes. 2012 signing certificate was already revoked for kexec/kdump purposes. After this patch is applied, certificates corresponding to CRL serials 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump purposes. This patch prevents this kernel to kexec/kdump using kernels signed by those certifictes when lockdown is in place. 05 Ubuntu Core 2019 signing certificate is not included as revoked, as that certificate signs kernel.efi apps only which linux doesn't know not know how to use with kexec/kdump. Kernels that include this patch should be routed via 2021v1 signing, to preserve kexec/kdump functionality under lockdown. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++ .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++ .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++ 3 files changed, 258 insertions(+) create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem