diff mbox series

[JAMMY,FOCAL,BIONIC,linux] UBUNTU: [Packaging] Rotate to 2021v1 signing key

Message ID 20220315182615.160949-1-dimitri.ledkov@canonical.com
State New
Headers show
Series [JAMMY,FOCAL,BIONIC,linux] UBUNTU: [Packaging] Rotate to 2021v1 signing key | expand

Commit Message

Dimitri John Ledkov March 15, 2022, 6:26 p.m. UTC 
BugLink: https://bugs.launchpad.net/bugs/1964990

Revoke 2017, 2018, 2019 signing certificates for kexec/kdump
purposes.

2012 signing certificate was already revoked for kexec/kdump purposes.
After this patch is applied, certificates corresponding to CRL serials
01, 02, 03, 04 will not be usable by this kernel for kexec/kdump
purposes. This patch prevents this kernel to kexec/kdump using kernels
signed by those certifictes when lockdown is in place.

05 Ubuntu Core 2019 signing certificate is not included as revoked, as
that certificate signs kernel.efi apps only which linux doesn't know
not know how to use with kexec/kdump.

Kernels that include this patch should be routed via 2021v1 signing,
to preserve kexec/kdump functionality under lockdown.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++
 .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++
 .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++
 3 files changed, 258 insertions(+)
 create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem
 create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem
 create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem

Comments

Stefan Bader March 16, 2022, 9:13 a.m. UTC | #1 
On 15.03.22 19:26, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1964990
> 
> Revoke 2017, 2018, 2019 signing certificates for kexec/kdump
> purposes.
> 
> 2012 signing certificate was already revoked for kexec/kdump purposes.
> After this patch is applied, certificates corresponding to CRL serials
> 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump
> purposes. This patch prevents this kernel to kexec/kdump using kernels
> signed by those certifictes when lockdown is in place.
> 
> 05 Ubuntu Core 2019 signing certificate is not included as revoked, as
> that certificate signs kernel.efi apps only which linux doesn't know
> not know how to use with kexec/kdump.
> 
> Kernels that include this patch should be routed via 2021v1 signing,
> to preserve kexec/kdump functionality under lockdown.
> 
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

Just for completeness: this is not including Impish because that would be EOL by 
the time it becomes relevant?

-Stefan

>   .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++
>   .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++
>   .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++
>   3 files changed, 258 insertions(+)
>   create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem
>   create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem
>   create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem
> 
> diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem
> new file mode 100644
> index 0000000000..d26474ec3d
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 2 (0x2)
> +    Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Sep 26 21:52:11 2017 GMT
> +            Not After : Sep 25 21:52:11 2047 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                Public-Key: (2048 bit)
> +                Modulus:
> +                    00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42:
> +                    e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a:
> +                    74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4:
> +                    44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6:
> +                    12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a:
> +                    4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58:
> +                    35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7:
> +                    c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65:
> +                    71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29:
> +                    4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6:
> +                    37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24:
> +                    99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38:
> +                    99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2:
> +                    03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d:
> +                    b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f:
> +                    b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88:
> +                    9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad:
> +                    04:ff
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1:
> +         d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd:
> +         a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88:
> +         fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7:
> +         c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14:
> +         51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc:
> +         0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e:
> +         61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2:
> +         c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03:
> +         6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4:
> +         50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57:
> +         f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f:
> +         b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b:
> +         20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73:
> +         87:d0:e0:d8
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy
> +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4
> +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP
> +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep
> +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1
> +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8
> +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX
> +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo
> +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk
> +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3
> +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU
> +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL
> +3MuQN9UoJHOH0ODY
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem
> new file mode 100644
> index 0000000000..76e6bf31e4
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 3 (0x3)
> +    Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Oct 26 18:31:14 2018 GMT
> +            Not After : Oct 24 18:31:14 2048 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                Public-Key: (2048 bit)
> +                Modulus:
> +                    00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f:
> +                    6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d:
> +                    92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e:
> +                    56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef:
> +                    3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54:
> +                    bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8:
> +                    22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd:
> +                    9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b:
> +                    fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75:
> +                    99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80:
> +                    f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8:
> +                    65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d:
> +                    ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6:
> +                    d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf:
> +                    e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff:
> +                    df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45:
> +                    99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15:
> +                    2e:b5
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc:
> +         60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17:
> +         bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa:
> +         b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8:
> +         91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f:
> +         0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0:
> +         fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74:
> +         97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c:
> +         4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9:
> +         50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef:
> +         84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b:
> +         fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad:
> +         e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d:
> +         80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85:
> +         a8:48:16:e2
> +-----BEGIN CERTIFICATE-----
> +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx
> +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG
> +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw
> +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc
> +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89
> +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT
> +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o
> +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet
> +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd
> +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH
> +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
> +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV
> +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA
> +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z
> +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq
> +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc
> +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh
> +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ
> +YKv/hXcPy0ciybKFqEgW4g==
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem
> new file mode 100644
> index 0000000000..dc6e4b9695
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 4 (0x4)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Sep 18 16:10:17 2019 GMT
> +            Not After : Sep 16 16:10:17 2049 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                RSA Public-Key: (2048 bit)
> +                Modulus:
> +                    00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8:
> +                    58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1:
> +                    1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75:
> +                    5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3:
> +                    9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3:
> +                    35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60:
> +                    d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5:
> +                    22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af:
> +                    ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c:
> +                    ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b:
> +                    a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c:
> +                    f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40:
> +                    55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42:
> +                    29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74:
> +                    34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07:
> +                    cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40:
> +                    d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77:
> +                    a5:37
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f:
> +         24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd:
> +         d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70:
> +         88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad:
> +         15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee:
> +         22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9:
> +         f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db:
> +         2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c:
> +         2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b:
> +         a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9:
> +         7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7:
> +         23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3:
> +         59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01:
> +         24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82:
> +         e1:c4:5f:db
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx
> +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9
> +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP
> +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v
> +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp
> +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd
> +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR
> +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn
> +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1
> +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ
> +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm
> +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj
> +wL0N2G46KYLhxF/b
> +-----END CERTIFICATE-----
Dimitri John Ledkov March 16, 2022, 12:40 p.m. UTC | #2 
On Wed, 16 Mar 2022 at 09:13, Stefan Bader <stefan.bader@canonical.com> wrote:
>
> On 15.03.22 19:26, Dimitri John Ledkov wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1964990
> >
> > Revoke 2017, 2018, 2019 signing certificates for kexec/kdump
> > purposes.
> >
> > 2012 signing certificate was already revoked for kexec/kdump purposes.
> > After this patch is applied, certificates corresponding to CRL serials
> > 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump
> > purposes. This patch prevents this kernel to kexec/kdump using kernels
> > signed by those certifictes when lockdown is in place.
> >
> > 05 Ubuntu Core 2019 signing certificate is not included as revoked, as
> > that certificate signs kernel.efi apps only which linux doesn't know
> > not know how to use with kexec/kdump.
> >
> > Kernels that include this patch should be routed via 2021v1 signing,
> > to preserve kexec/kdump functionality under lockdown.
> >
> > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
> Acked-by: Stefan Bader <stefan.bader@canonical.com>
> > ---
>
> Just for completeness: this is not including Impish because that would be EOL by
> the time it becomes relevant?
>

It is not interesting to rotate signing keys of impish. However, there
are many kernels in focal that are based off impish one's and those
are interesting to rotate to a new signing key.
Thus in hindsight, this patch should be applied to impish too.

Regards,

Dimitri.


> -Stefan
>
> >   .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++
> >   .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++
> >   .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++
> >   3 files changed, 258 insertions(+)
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem
> >
> > diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem
> > new file mode 100644
> > index 0000000000..d26474ec3d
> > --- /dev/null
> > +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem
> > @@ -0,0 +1,86 @@
> > +Certificate:
> > +    Data:
> > +        Version: 3 (0x2)
> > +        Serial Number: 2 (0x2)
> > +    Signature Algorithm: sha256WithRSAEncryption
> > +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> > +        Validity
> > +            Not Before: Sep 26 21:52:11 2017 GMT
> > +            Not After : Sep 25 21:52:11 2047 GMT
> > +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017)
> > +        Subject Public Key Info:
> > +            Public Key Algorithm: rsaEncryption
> > +                Public-Key: (2048 bit)
> > +                Modulus:
> > +                    00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42:
> > +                    e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a:
> > +                    74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4:
> > +                    44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6:
> > +                    12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a:
> > +                    4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58:
> > +                    35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7:
> > +                    c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65:
> > +                    71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29:
> > +                    4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6:
> > +                    37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24:
> > +                    99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38:
> > +                    99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2:
> > +                    03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d:
> > +                    b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f:
> > +                    b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88:
> > +                    9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad:
> > +                    04:ff
> > +                Exponent: 65537 (0x10001)
> > +        X509v3 extensions:
> > +            X509v3 Basic Constraints: critical
> > +                CA:FALSE
> > +            X509v3 Extended Key Usage:
> > +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> > +            Netscape Comment:
> > +                OpenSSL Generated Certificate
> > +            X509v3 Subject Key Identifier:
> > +                24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03
> > +            X509v3 Authority Key Identifier:
> > +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> > +
> > +    Signature Algorithm: sha256WithRSAEncryption
> > +         00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1:
> > +         d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd:
> > +         a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88:
> > +         fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7:
> > +         c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14:
> > +         51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc:
> > +         0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e:
> > +         61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2:
> > +         c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03:
> > +         6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4:
> > +         50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57:
> > +         f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f:
> > +         b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b:
> > +         20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73:
> > +         87:d0:e0:d8
> > +-----BEGIN CERTIFICATE-----
> > +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy
> > +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw
> > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4
> > +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP
> > +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep
> > +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1
> > +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8
> > +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/
> > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> > +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY
> > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX
> > +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo
> > +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk
> > +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3
> > +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU
> > +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL
> > +3MuQN9UoJHOH0ODY
> > +-----END CERTIFICATE-----
> > diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem
> > new file mode 100644
> > index 0000000000..76e6bf31e4
> > --- /dev/null
> > +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem
> > @@ -0,0 +1,86 @@
> > +Certificate:
> > +    Data:
> > +        Version: 3 (0x2)
> > +        Serial Number: 3 (0x3)
> > +    Signature Algorithm: sha256WithRSAEncryption
> > +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> > +        Validity
> > +            Not Before: Oct 26 18:31:14 2018 GMT
> > +            Not After : Oct 24 18:31:14 2048 GMT
> > +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
> > +        Subject Public Key Info:
> > +            Public Key Algorithm: rsaEncryption
> > +                Public-Key: (2048 bit)
> > +                Modulus:
> > +                    00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f:
> > +                    6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d:
> > +                    92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e:
> > +                    56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef:
> > +                    3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54:
> > +                    bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8:
> > +                    22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd:
> > +                    9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b:
> > +                    fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75:
> > +                    99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80:
> > +                    f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8:
> > +                    65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d:
> > +                    ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6:
> > +                    d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf:
> > +                    e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff:
> > +                    df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45:
> > +                    99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15:
> > +                    2e:b5
> > +                Exponent: 65537 (0x10001)
> > +        X509v3 extensions:
> > +            X509v3 Basic Constraints: critical
> > +                CA:FALSE
> > +            X509v3 Extended Key Usage:
> > +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> > +            Netscape Comment:
> > +                OpenSSL Generated Certificate
> > +            X509v3 Subject Key Identifier:
> > +                36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B
> > +            X509v3 Authority Key Identifier:
> > +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> > +
> > +    Signature Algorithm: sha256WithRSAEncryption
> > +         4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc:
> > +         60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17:
> > +         bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa:
> > +         b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8:
> > +         91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f:
> > +         0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0:
> > +         fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74:
> > +         97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c:
> > +         4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9:
> > +         50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef:
> > +         84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b:
> > +         fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad:
> > +         e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d:
> > +         80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85:
> > +         a8:48:16:e2
> > +-----BEGIN CERTIFICATE-----
> > +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx
> > +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG
> > +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw
> > +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc
> > +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89
> > +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT
> > +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o
> > +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet
> > +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd
> > +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH
> > +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
> > +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV
> > +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA
> > +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z
> > +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq
> > +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc
> > +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh
> > +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ
> > +YKv/hXcPy0ciybKFqEgW4g==
> > +-----END CERTIFICATE-----
> > diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem
> > new file mode 100644
> > index 0000000000..dc6e4b9695
> > --- /dev/null
> > +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem
> > @@ -0,0 +1,86 @@
> > +Certificate:
> > +    Data:
> > +        Version: 3 (0x2)
> > +        Serial Number: 4 (0x4)
> > +        Signature Algorithm: sha256WithRSAEncryption
> > +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> > +        Validity
> > +            Not Before: Sep 18 16:10:17 2019 GMT
> > +            Not After : Sep 16 16:10:17 2049 GMT
> > +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019)
> > +        Subject Public Key Info:
> > +            Public Key Algorithm: rsaEncryption
> > +                RSA Public-Key: (2048 bit)
> > +                Modulus:
> > +                    00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8:
> > +                    58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1:
> > +                    1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75:
> > +                    5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3:
> > +                    9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3:
> > +                    35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60:
> > +                    d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5:
> > +                    22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af:
> > +                    ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c:
> > +                    ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b:
> > +                    a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c:
> > +                    f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40:
> > +                    55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42:
> > +                    29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74:
> > +                    34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07:
> > +                    cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40:
> > +                    d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77:
> > +                    a5:37
> > +                Exponent: 65537 (0x10001)
> > +        X509v3 extensions:
> > +            X509v3 Basic Constraints: critical
> > +                CA:FALSE
> > +            X509v3 Extended Key Usage:
> > +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> > +            Netscape Comment:
> > +                OpenSSL Generated Certificate
> > +            X509v3 Subject Key Identifier:
> > +                C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8
> > +            X509v3 Authority Key Identifier:
> > +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> > +
> > +    Signature Algorithm: sha256WithRSAEncryption
> > +         aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f:
> > +         24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd:
> > +         d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70:
> > +         88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad:
> > +         15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee:
> > +         22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9:
> > +         f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db:
> > +         2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c:
> > +         2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b:
> > +         a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9:
> > +         7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7:
> > +         23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3:
> > +         59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01:
> > +         24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82:
> > +         e1:c4:5f:db
> > +-----BEGIN CERTIFICATE-----
> > +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> > +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> > +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> > +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx
> > +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> > +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> > +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw
> > +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9
> > +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP
> > +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v
> > +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp
> > +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd
> > +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3
> > +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> > +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> > +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY
> > +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR
> > +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn
> > +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1
> > +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ
> > +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm
> > +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj
> > +wL0N2G46KYLhxF/b
> > +-----END CERTIFICATE-----
>
Kleber Sacilotto de Souza March 17, 2022, 3:21 p.m. UTC | #3 
On 15.03.22 19:26, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1964990
> 
> Revoke 2017, 2018, 2019 signing certificates for kexec/kdump
> purposes.
> 
> 2012 signing certificate was already revoked for kexec/kdump purposes.
> After this patch is applied, certificates corresponding to CRL serials
> 01, 02, 03, 04 will not be usable by this kernel for kexec/kdump
> purposes. This patch prevents this kernel to kexec/kdump using kernels
> signed by those certifictes when lockdown is in place.
> 
> 05 Ubuntu Core 2019 signing certificate is not included as revoked, as
> that certificate signs kernel.efi apps only which linux doesn't know
> not know how to use with kexec/kdump.
> 
> Kernels that include this patch should be routed via 2021v1 signing,
> to preserve kexec/kdump functionality under lockdown.

Need to make sure this signing route ^ is setup before the patch
is applied.

> 
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

Thanks

> ---
>   .../revoked-certs/canonical-uefi-2017-all.pem | 86 +++++++++++++++++++
>   .../revoked-certs/canonical-uefi-2018-all.pem | 86 +++++++++++++++++++
>   .../revoked-certs/canonical-uefi-2019-all.pem | 86 +++++++++++++++++++
>   3 files changed, 258 insertions(+)
>   create mode 100644 debian/revoked-certs/canonical-uefi-2017-all.pem
>   create mode 100644 debian/revoked-certs/canonical-uefi-2018-all.pem
>   create mode 100644 debian/revoked-certs/canonical-uefi-2019-all.pem
> 
> diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem
> new file mode 100644
> index 0000000000..d26474ec3d
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2017-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 2 (0x2)
> +    Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Sep 26 21:52:11 2017 GMT
> +            Not After : Sep 25 21:52:11 2047 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                Public-Key: (2048 bit)
> +                Modulus:
> +                    00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42:
> +                    e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a:
> +                    74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4:
> +                    44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6:
> +                    12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a:
> +                    4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58:
> +                    35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7:
> +                    c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65:
> +                    71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29:
> +                    4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6:
> +                    37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24:
> +                    99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38:
> +                    99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2:
> +                    03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d:
> +                    b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f:
> +                    b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88:
> +                    9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad:
> +                    04:ff
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1:
> +         d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd:
> +         a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88:
> +         fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7:
> +         c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14:
> +         51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc:
> +         0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e:
> +         61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2:
> +         c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03:
> +         6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4:
> +         50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57:
> +         f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f:
> +         b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b:
> +         20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73:
> +         87:d0:e0:d8
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy
> +MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4
> +VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP
> +u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep
> +oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1
> +Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8
> +fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX
> +tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo
> +woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk
> +Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3
> +NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU
> +Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL
> +3MuQN9UoJHOH0ODY
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem
> new file mode 100644
> index 0000000000..76e6bf31e4
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2018-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 3 (0x3)
> +    Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Oct 26 18:31:14 2018 GMT
> +            Not After : Oct 24 18:31:14 2048 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                Public-Key: (2048 bit)
> +                Modulus:
> +                    00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f:
> +                    6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d:
> +                    92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e:
> +                    56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef:
> +                    3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54:
> +                    bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8:
> +                    22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd:
> +                    9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b:
> +                    fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75:
> +                    99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80:
> +                    f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8:
> +                    65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d:
> +                    ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6:
> +                    d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf:
> +                    e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff:
> +                    df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45:
> +                    99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15:
> +                    2e:b5
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc:
> +         60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17:
> +         bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa:
> +         b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8:
> +         91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f:
> +         0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0:
> +         fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74:
> +         97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c:
> +         4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9:
> +         50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef:
> +         84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b:
> +         fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad:
> +         e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d:
> +         80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85:
> +         a8:48:16:e2
> +-----BEGIN CERTIFICATE-----
> +MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx
> +ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG
> +A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw
> +MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc
> +TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89
> +dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT
> +VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o
> +jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet
> +aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd
> +2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH
> +AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
> +IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV
> +HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA
> +TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z
> +s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq
> +uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc
> +TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh
> +hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ
> +YKv/hXcPy0ciybKFqEgW4g==
> +-----END CERTIFICATE-----
> diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem
> new file mode 100644
> index 0000000000..dc6e4b9695
> --- /dev/null
> +++ b/debian/revoked-certs/canonical-uefi-2019-all.pem
> @@ -0,0 +1,86 @@
> +Certificate:
> +    Data:
> +        Version: 3 (0x2)
> +        Serial Number: 4 (0x4)
> +        Signature Algorithm: sha256WithRSAEncryption
> +        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
> +        Validity
> +            Not Before: Sep 18 16:10:17 2019 GMT
> +            Not After : Sep 16 16:10:17 2049 GMT
> +        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019)
> +        Subject Public Key Info:
> +            Public Key Algorithm: rsaEncryption
> +                RSA Public-Key: (2048 bit)
> +                Modulus:
> +                    00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8:
> +                    58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1:
> +                    1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75:
> +                    5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3:
> +                    9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3:
> +                    35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60:
> +                    d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5:
> +                    22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af:
> +                    ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c:
> +                    ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b:
> +                    a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c:
> +                    f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40:
> +                    55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42:
> +                    29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74:
> +                    34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07:
> +                    cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40:
> +                    d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77:
> +                    a5:37
> +                Exponent: 65537 (0x10001)
> +        X509v3 extensions:
> +            X509v3 Basic Constraints: critical
> +                CA:FALSE
> +            X509v3 Extended Key Usage:
> +                Code Signing, 1.3.6.1.4.1.311.10.3.6
> +            Netscape Comment:
> +                OpenSSL Generated Certificate
> +            X509v3 Subject Key Identifier:
> +                C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8
> +            X509v3 Authority Key Identifier:
> +                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
> +
> +    Signature Algorithm: sha256WithRSAEncryption
> +         aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f:
> +         24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd:
> +         d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70:
> +         88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad:
> +         15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee:
> +         22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9:
> +         f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db:
> +         2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c:
> +         2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b:
> +         a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9:
> +         7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7:
> +         23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3:
> +         59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01:
> +         24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82:
> +         e1:c4:5f:db
> +-----BEGIN CERTIFICATE-----
> +MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
> +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
> +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
> +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx
> +NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
> +BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
> +A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw
> +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9
> +fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP
> +JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v
> +ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp
> +J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd
> +dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3
> +AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
> +KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
> +dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY
> +MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR
> +nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn
> +onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1
> +6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ
> +dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm
> +CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj
> +wL0N2G46KYLhxF/b
> +-----END CERTIFICATE-----
Paolo Pisati March 22, 2022, 3:29 p.m. UTC | #4 
On Tue, Mar 15, 2022 at 06:26:15PM +0000, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1964990
diff mbox series

Patch

diff --git a/debian/revoked-certs/canonical-uefi-2017-all.pem b/debian/revoked-certs/canonical-uefi-2017-all.pem
new file mode 100644
index 0000000000..d26474ec3d
--- /dev/null
+++ b/debian/revoked-certs/canonical-uefi-2017-all.pem
@@ -0,0 +1,86 @@ 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
+        Validity
+            Not Before: Sep 26 21:52:11 2017 GMT
+            Not After : Sep 25 21:52:11 2047 GMT
+        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2017)
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:ef:9f:fa:9f:19:3a:9d:38:23:91:cc:c4:f9:42:
+                    e0:f8:54:12:82:dc:97:2c:d6:5b:c1:35:eb:ff:4a:
+                    74:06:b5:9d:32:aa:7b:f3:fc:31:5a:34:3e:a1:a4:
+                    44:db:7b:6d:16:af:35:76:e0:9b:99:ad:21:11:c6:
+                    12:4b:ae:24:8f:bb:d3:b2:00:fe:c5:1d:9b:3a:1a:
+                    4a:6c:ca:fa:16:37:85:22:f9:ff:22:fc:40:e0:58:
+                    35:c1:39:27:b4:c6:42:1a:96:d8:a5:c5:95:2e:f7:
+                    c5:1e:21:6e:36:84:f7:a9:a1:e1:f1:03:08:96:65:
+                    71:f8:eb:83:cf:82:f7:9a:44:58:72:00:14:39:29:
+                    4b:e9:78:2f:65:20:b3:80:76:3b:ba:0d:2d:46:f6:
+                    37:05:e7:05:fe:bd:6c:c7:a2:65:b5:06:6e:07:24:
+                    99:a1:c1:cf:e1:0e:5e:49:41:71:17:a8:50:e7:38:
+                    99:e5:6e:b6:db:9f:63:db:56:f4:9c:7d:89:f6:d2:
+                    03:6c:99:83:e0:99:23:39:36:bd:cb:b5:26:7c:7d:
+                    b0:c6:fe:82:7c:52:ed:f9:2c:8f:79:71:3d:a9:2f:
+                    b5:aa:7e:77:a0:fd:69:f9:97:10:a8:b2:c6:7d:88:
+                    9e:a2:19:bd:31:b8:02:2d:34:4d:9d:98:60:82:ad:
+                    04:ff
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                Code Signing, 1.3.6.1.4.1.311.10.3.6
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                24:2A:DE:75:AC:4A:15:E5:0D:50:C8:4B:0D:45:FF:3E:AE:70:7A:03
+            X509v3 Authority Key Identifier: 
+                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
+
+    Signature Algorithm: sha256WithRSAEncryption
+         00:b2:b7:57:b5:2b:5d:16:d3:04:88:6a:d7:77:d5:0d:89:f1:
+         d2:6e:11:d1:8e:f5:62:05:c4:6a:57:df:eb:d2:86:68:f2:fd:
+         a7:37:11:3c:f4:ce:5d:fe:32:5f:31:a2:6b:3a:da:28:c2:88:
+         fa:7f:70:b5:25:99:ea:27:9a:56:6a:9d:b2:0f:14:99:e2:b7:
+         c6:39:1e:8e:a7:76:31:d9:ed:c5:05:8d:48:ae:1b:68:18:14:
+         51:a1:7d:f6:c7:df:cb:9d:eb:a4:3b:0b:ff:c2:07:c5:42:bc:
+         0d:b2:11:fa:37:17:2b:1c:b5:84:48:2d:f9:31:4a:57:49:8e:
+         61:a6:82:11:06:4c:34:ea:9c:2a:47:4d:eb:e0:26:af:da:d2:
+         c2:08:a0:37:35:7b:73:71:de:0b:c4:ba:c8:34:de:20:04:03:
+         6f:46:26:0d:b9:91:02:5b:71:76:cc:45:e4:08:d0:a6:dd:a4:
+         50:d3:d9:04:91:2b:d9:5c:34:88:fc:c2:37:fd:c6:d4:3e:57:
+         f7:6b:ba:7b:d7:02:7a:84:0c:c8:c1:19:cc:bc:fa:52:d5:7f:
+         b3:35:c4:53:5d:70:0a:f6:44:60:8d:a9:11:7a:1b:7d:ae:7b:
+         20:5a:4c:8d:44:f6:c1:a9:61:cb:dc:cb:90:37:d5:28:24:73:
+         87:d0:e0:d8
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
+FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
+DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
+IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNzA5MjYyMTUyMTFaFw00NzA5MjUy
+MTUyMTFaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
+BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
+A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxNykw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvn/qfGTqdOCORzMT5QuD4
+VBKC3Jcs1lvBNev/SnQGtZ0yqnvz/DFaND6hpETbe20WrzV24JuZrSERxhJLriSP
+u9OyAP7FHZs6GkpsyvoWN4Ui+f8i/EDgWDXBOSe0xkIaltilxZUu98UeIW42hPep
+oeHxAwiWZXH464PPgveaRFhyABQ5KUvpeC9lILOAdju6DS1G9jcF5wX+vWzHomW1
+Bm4HJJmhwc/hDl5JQXEXqFDnOJnlbrbbn2PbVvScfYn20gNsmYPgmSM5Nr3LtSZ8
+fbDG/oJ8Uu35LI95cT2pL7Wqfneg/Wn5lxCossZ9iJ6iGb0xuAItNE2dmGCCrQT/
+AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
+KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFCQq3nWsShXlDVDISw1F/z6ucHoDMB8GA1UdIwQY
+MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQAAsrdX
+tStdFtMEiGrXd9UNifHSbhHRjvViBcRqV9/r0oZo8v2nNxE89M5d/jJfMaJrOtoo
+woj6f3C1JZnqJ5pWap2yDxSZ4rfGOR6Op3Yx2e3FBY1IrhtoGBRRoX32x9/Lneuk
+Owv/wgfFQrwNshH6NxcrHLWESC35MUpXSY5hpoIRBkw06pwqR03r4Cav2tLCCKA3
+NXtzcd4LxLrINN4gBANvRiYNuZECW3F2zEXkCNCm3aRQ09kEkSvZXDSI/MI3/cbU
+Plf3a7p71wJ6hAzIwRnMvPpS1X+zNcRTXXAK9kRgjakReht9rnsgWkyNRPbBqWHL
+3MuQN9UoJHOH0ODY
+-----END CERTIFICATE-----
diff --git a/debian/revoked-certs/canonical-uefi-2018-all.pem b/debian/revoked-certs/canonical-uefi-2018-all.pem
new file mode 100644
index 0000000000..76e6bf31e4
--- /dev/null
+++ b/debian/revoked-certs/canonical-uefi-2018-all.pem
@@ -0,0 +1,86 @@ 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
+        Validity
+            Not Before: Oct 26 18:31:14 2018 GMT
+            Not After : Oct 24 18:31:14 2048 GMT
+        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (ESM 2018)
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:bf:6a:e5:6d:55:7a:ec:7a:11:37:45:9c:4c:8f:
+                    6b:2d:56:d3:74:2b:32:ac:84:2d:ba:cb:cc:ec:8d:
+                    92:22:69:48:a5:d4:f6:75:11:66:2f:cb:b2:fd:9e:
+                    56:ab:e6:f1:52:8e:75:3e:50:bd:25:b3:50:fc:ef:
+                    3d:76:f3:3f:7f:03:f6:e2:a1:25:69:5c:14:98:54:
+                    bd:11:bf:e9:a5:ac:46:91:4b:1d:de:b7:18:2b:c8:
+                    22:83:15:a7:4a:00:8d:9d:e4:c0:da:f7:41:02:fd:
+                    9f:5f:79:93:56:cc:86:e1:b5:e0:39:0e:3c:a2:5b:
+                    fe:c0:56:f0:92:50:5a:2b:67:67:93:56:d7:7a:75:
+                    99:6a:25:b4:63:a8:5f:69:7e:3a:49:58:2a:a7:80:
+                    f6:5a:b4:be:b2:be:a8:8c:45:41:c9:f2:fc:76:a8:
+                    65:ef:99:29:0d:c9:9c:54:6b:0a:f0:4a:0e:61:0d:
+                    ed:99:32:af:12:e2:12:7b:9f:7b:ec:05:c4:e0:b6:
+                    d5:c3:71:28:ae:dd:0b:ba:97:ad:68:0b:76:e9:bf:
+                    e7:01:7e:64:54:39:23:85:36:c8:9d:dd:27:a1:ff:
+                    df:46:36:14:7e:cb:cc:a1:cd:49:0b:6d:c2:0c:45:
+                    99:56:58:7c:87:0d:59:9a:dc:4a:39:3b:1d:d9:15:
+                    2e:b5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                Code Signing, 1.3.6.1.4.1.311.10.3.6
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                36:51:88:C1:D3:74:D6:B0:7C:3C:8F:24:0F:8E:F7:22:43:3D:6A:8B
+            X509v3 Authority Key Identifier: 
+                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
+
+    Signature Algorithm: sha256WithRSAEncryption
+         4c:0f:cd:77:60:b4:6f:53:87:f3:3c:4f:e6:81:5f:a7:1c:cc:
+         60:29:b6:34:6c:4d:08:9b:e2:d2:bd:f6:17:1a:62:79:b8:17:
+         bc:a2:60:59:fd:03:51:c3:b7:6b:de:73:b3:48:95:f5:0b:aa:
+         b6:3c:b4:34:dc:1d:0b:c4:97:62:87:e7:48:d5:8f:c9:ea:e8:
+         91:8f:2a:40:cd:b7:b3:ee:b2:98:9e:fb:37:31:29:e6:8e:2f:
+         0a:39:99:1e:c6:aa:b8:05:62:85:d3:a8:3e:60:38:98:0f:f0:
+         fe:c7:ab:01:a5:6a:a5:7f:70:a6:26:94:76:23:2f:08:89:74:
+         97:c2:2a:ca:22:3e:7a:ea:22:22:08:07:f4:bb:f6:bc:69:9c:
+         4e:44:33:e2:8e:70:17:b0:9b:cb:33:94:66:6d:ff:9a:7d:e9:
+         50:b2:e8:90:14:e4:2b:91:cb:a0:c5:2e:0e:cf:19:ef:44:ef:
+         84:f0:bd:57:9e:26:c2:63:3d:df:fc:a1:84:de:5c:d7:5f:3b:
+         fb:94:61:f0:93:89:1f:cf:c3:b2:d1:90:97:35:7d:b9:8a:ad:
+         e6:05:f0:e8:3b:a1:7c:af:2b:c4:af:18:33:2e:5e:87:db:9d:
+         80:b5:04:fd:00:d0:60:ab:ff:85:77:0f:cb:47:22:c9:b2:85:
+         a8:48:16:e2
+-----BEGIN CERTIFICATE-----
+MIIELDCCAxSgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
+FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
+DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
+IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xODEwMjYxODMxMTRaFw00ODEwMjQx
+ODMxMTRaMIGKMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
+BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDE2MDQG
+A1UEAwwtQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoRVNNIDIw
+MTgpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv2rlbVV67HoRN0Wc
+TI9rLVbTdCsyrIQtusvM7I2SImlIpdT2dRFmL8uy/Z5Wq+bxUo51PlC9JbNQ/O89
+dvM/fwP24qElaVwUmFS9Eb/ppaxGkUsd3rcYK8gigxWnSgCNneTA2vdBAv2fX3mT
+VsyG4bXgOQ48olv+wFbwklBaK2dnk1bXenWZaiW0Y6hfaX46SVgqp4D2WrS+sr6o
+jEVByfL8dqhl75kpDcmcVGsK8EoOYQ3tmTKvEuISe5977AXE4LbVw3Eort0Lupet
+aAt26b/nAX5kVDkjhTbInd0nof/fRjYUfsvMoc1JC23CDEWZVlh8hw1ZmtxKOTsd
+2RUutQIDAQABo4GgMIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUH
+AwMGCisGAQQBgjcKAwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVk
+IENlcnRpZmljYXRlMB0GA1UdDgQWBBQ2UYjB03TWsHw8jyQPjvciQz1qizAfBgNV
+HSMEGDAWgBStkZkLwiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEA
+TA/Nd2C0b1OH8zxP5oFfpxzMYCm2NGxNCJvi0r32FxpiebgXvKJgWf0DUcO3a95z
+s0iV9Quqtjy0NNwdC8SXYofnSNWPyerokY8qQM23s+6ymJ77NzEp5o4vCjmZHsaq
+uAVihdOoPmA4mA/w/serAaVqpX9wpiaUdiMvCIl0l8IqyiI+euoiIggH9Lv2vGmc
+TkQz4o5wF7CbyzOUZm3/mn3pULLokBTkK5HLoMUuDs8Z70TvhPC9V54mwmM93/yh
+hN5c1187+5Rh8JOJH8/DstGQlzV9uYqt5gXw6DuhfK8rxK8YMy5eh9udgLUE/QDQ
+YKv/hXcPy0ciybKFqEgW4g==
+-----END CERTIFICATE-----
diff --git a/debian/revoked-certs/canonical-uefi-2019-all.pem b/debian/revoked-certs/canonical-uefi-2019-all.pem
new file mode 100644
index 0000000000..dc6e4b9695
--- /dev/null
+++ b/debian/revoked-certs/canonical-uefi-2019-all.pem
@@ -0,0 +1,86 @@ 
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 4 (0x4)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
+        Validity
+            Not Before: Sep 18 16:10:17 2019 GMT
+            Not After : Sep 16 16:10:17 2049 GMT
+        Subject: C=GB, ST=Isle of Man, O=Canonical Ltd., OU=Secure Boot, CN=Canonical Ltd. Secure Boot Signing (2019)
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:e6:47:d8:75:e5:87:59:26:87:83:7d:5b:7a:b8:
+                    58:3d:7c:ef:36:f8:a0:7a:b7:14:56:58:7d:01:f1:
+                    1c:3b:8c:e6:5b:03:77:7d:a0:ed:47:0a:45:e6:75:
+                    5c:de:95:38:0d:38:fa:41:79:89:56:31:87:e7:a3:
+                    9a:36:70:b6:cf:24:2f:99:26:89:08:39:0e:14:c3:
+                    35:be:02:8b:52:e1:8e:7b:0c:a6:9d:78:ff:01:60:
+                    d7:f5:c3:d5:f0:5e:dc:e4:23:09:59:72:93:d3:b5:
+                    22:af:7c:cd:e0:84:0f:af:11:2d:bc:c6:72:42:af:
+                    ea:67:63:c4:10:41:78:02:80:62:0d:43:74:b4:1c:
+                    ed:50:d7:94:f1:b0:bb:f9:57:80:e4:69:0f:83:4b:
+                    a2:e6:2c:4a:9a:e1:7d:7c:62:19:29:27:97:1f:4c:
+                    f1:85:f0:39:f5:31:9f:3a:39:0e:d4:4d:07:3a:40:
+                    55:4b:a6:6c:9d:04:89:51:2d:7c:b0:ef:40:b5:42:
+                    29:16:cc:65:73:38:62:21:f6:e3:2c:17:50:9d:74:
+                    34:4e:df:7c:4a:33:a4:bb:40:cf:d5:e5:ed:05:07:
+                    cd:4c:f9:af:7f:a6:5c:b9:f7:c5:16:45:4e:44:40:
+                    d7:85:32:de:ac:e5:75:ad:9b:d7:c0:26:33:1f:77:
+                    a5:37
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Extended Key Usage: 
+                Code Signing, 1.3.6.1.4.1.311.10.3.6
+            Netscape Comment: 
+                OpenSSL Generated Certificate
+            X509v3 Subject Key Identifier: 
+                C0:74:6F:D6:C5:DA:3A:E8:27:86:46:51:AD:66:AE:47:FE:24:B3:E8
+            X509v3 Authority Key Identifier: 
+                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
+
+    Signature Algorithm: sha256WithRSAEncryption
+         aa:12:6c:d1:9d:6a:da:f0:ec:7c:17:46:3b:57:b8:d6:76:5f:
+         24:e6:06:a2:0a:55:1f:2f:d3:5e:8f:de:cf:02:f2:ff:e0:dd:
+         d3:c7:bd:75:59:aa:cd:34:f3:28:80:73:cc:28:69:e7:a2:70:
+         88:a2:c7:dc:66:f0:92:0e:ff:64:bf:30:04:54:01:1b:96:ad:
+         15:c5:61:fd:32:61:d7:5e:b5:ba:91:fd:31:fc:6b:15:df:ee:
+         22:d9:e4:1f:f3:cc:8b:0c:9f:f5:e8:f7:e2:62:3f:40:52:c9:
+         f0:f1:1c:63:fc:6c:90:e1:5b:74:03:b9:df:d1:3e:a8:ec:db:
+         2b:6e:83:6f:9f:7f:ba:b4:79:fc:3d:e7:12:2f:4a:e7:17:8c:
+         2b:77:a5:90:74:3c:bd:cf:75:83:0d:1a:95:d5:56:ef:07:9b:
+         a6:b3:31:e3:8c:97:ce:68:11:b5:7b:25:03:72:1c:ea:67:e9:
+         7c:3e:73:c7:7c:3e:fc:f5:ae:8a:b2:07:0d:15:6a:66:09:d7:
+         23:b9:5d:80:7a:26:d6:b6:22:30:aa:84:af:c0:42:e9:75:c3:
+         59:ab:a3:84:87:6b:0c:b7:ab:4e:92:69:ae:2c:82:6f:ab:01:
+         24:ab:ff:78:6d:59:85:c2:3b:23:c0:bd:0d:d8:6e:3a:29:82:
+         e1:c4:5f:db
+-----BEGIN CERTIFICATE-----
+MIIEKDCCAxCgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
+FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
+DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
+IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xOTA5MTgxNjEwMTdaFw00OTA5MTYx
+NjEwMTdaMIGGMQswCQYDVQQGEwJHQjEUMBIGA1UECAwLSXNsZSBvZiBNYW4xFzAV
+BgNVBAoMDkNhbm9uaWNhbCBMdGQuMRQwEgYDVQQLDAtTZWN1cmUgQm9vdDEyMDAG
+A1UEAwwpQ2Fub25pY2FsIEx0ZC4gU2VjdXJlIEJvb3QgU2lnbmluZyAoMjAxOSkw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmR9h15YdZJoeDfVt6uFg9
+fO82+KB6txRWWH0B8Rw7jOZbA3d9oO1HCkXmdVzelTgNOPpBeYlWMYfno5o2cLbP
+JC+ZJokIOQ4UwzW+AotS4Y57DKadeP8BYNf1w9XwXtzkIwlZcpPTtSKvfM3ghA+v
+ES28xnJCr+pnY8QQQXgCgGINQ3S0HO1Q15TxsLv5V4DkaQ+DS6LmLEqa4X18Yhkp
+J5cfTPGF8Dn1MZ86OQ7UTQc6QFVLpmydBIlRLXyw70C1QikWzGVzOGIh9uMsF1Cd
+dDRO33xKM6S7QM/V5e0FB81M+a9/ply598UWRU5EQNeFMt6s5XWtm9fAJjMfd6U3
+AgMBAAGjgaAwgZ0wDAYDVR0TAQH/BAIwADAfBgNVHSUEGDAWBggrBgEFBQcDAwYK
+KwYBBAGCNwoDBjAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2Vy
+dGlmaWNhdGUwHQYDVR0OBBYEFMB0b9bF2jroJ4ZGUa1mrkf+JLPoMB8GA1UdIwQY
+MBaAFK2RmQvCKrH1FwSMI7ZlWiaONFpjMA0GCSqGSIb3DQEBCwUAA4IBAQCqEmzR
+nWra8Ox8F0Y7V7jWdl8k5gaiClUfL9Nej97PAvL/4N3Tx711WarNNPMogHPMKGnn
+onCIosfcZvCSDv9kvzAEVAEblq0VxWH9MmHXXrW6kf0x/GsV3+4i2eQf88yLDJ/1
+6PfiYj9AUsnw8Rxj/GyQ4Vt0A7nf0T6o7NsrboNvn3+6tHn8PecSL0rnF4wrd6WQ
+dDy9z3WDDRqV1VbvB5umszHjjJfOaBG1eyUDchzqZ+l8PnPHfD789a6KsgcNFWpm
+CdcjuV2AeibWtiIwqoSvwELpdcNZq6OEh2sMt6tOkmmuLIJvqwEkq/94bVmFwjsj
+wL0N2G46KYLhxF/b
+-----END CERTIFICATE-----