| Message ID | 20210615154004.351480-1-dimitri.ledkov@canonical.com |
|---|---|
| Headers | show |
| Series | Support builtin revoked certificates | expand |
On Tue, Jun 15, 2021 at 04:40:01PM +0100, Dimitri John Ledkov wrote: > [Impact] > > Upstream linux kernel now supports configuring built-in revoked > certificates for the .blacklist keyring. > > Add support in our kernel configuration to have built-in revoked > certificates. > > Revoke UEFI amd64 & arm64 2012 signing certificate. > > Under UEFI Secureboot with lockdown, shim may attempt to communicate > revoked certificates to the kernel and depending on how good EFI > firmware is, this may or may not succeed. > > By having these built-in, it will be prohibited to kexec file_load > older kernels that were signed with now revoked certificates, however > one boots. > > [Test Plan] > > * Boot kernel directly, or just with grub, and without shim > > * Check that > > $ sudo keyctl list %:.blacklist > > Contains assymetric 2012 key. > > [Where problems could occur] > > * Derivative and per-arch kernels may need to revoke different keys, > thus this should be evaluated on per arch & flavour basis as to > which keys to revoke. > > [Other Info] > > * In theory, this only needs to be revoked on amd64 and arm64, but > empty revocation list is not allowed by the kernel configury, thus > at the moment revoking 2012 UEFI cert for all architectures. > > Dimitri John Ledkov (3): > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ > debian/rules | 14 ++- > 4 files changed, 101 insertions(+), 2 deletions(-) > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem I haven't tested it explicitly, but it all looks good to me. Applied to unstable/5.13. Thanks, -Andrea
[Impact] Upstream linux kernel now supports configuring built-in revoked certificates for the .blacklist keyring. Add support in our kernel configuration to have built-in revoked certificates. Revoke UEFI amd64 & arm64 2012 signing certificate. Under UEFI Secureboot with lockdown, shim may attempt to communicate revoked certificates to the kernel and depending on how good EFI firmware is, this may or may not succeed. By having these built-in, it will be prohibited to kexec file_load older kernels that were signed with now revoked certificates, however one boots. [Test Plan] * Boot kernel directly, or just with grub, and without shim * Check that $ sudo keyctl list %:.blacklist Contains assymetric 2012 key. [Where problems could occur] * Derivative and per-arch kernels may need to revoke different keys, thus this should be evaluated on per arch & flavour basis as to which keys to revoke. [Other Info] * In theory, this only needs to be revoked on amd64 and arm64, but empty revocation list is not allowed by the kernel configury, thus at the moment revoking 2012 UEFI cert for all architectures. Dimitri John Ledkov (3): UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 +- .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ debian/rules | 14 ++- 4 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem