@@ -355,16 +355,19 @@ CONFIG_MODULE_SIG_KEY policy<{'amd64': '"certs/signing
CONFIG_SYSTEM_BLACKLIST_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_SYSTEM_BLACKLIST_HASH_LIST policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
CONFIG_SYSTEM_REVOCATION_LIST policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
+CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 'riscv64': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
#
CONFIG_SYSTEM_BLACKLIST_KEYRING mark<ENFORCED>
+CONFIG_SYSTEM_REVOCATION_KEYS mark<ENFORCED>
# Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
+CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 'riscv64': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+#
+CONFIG_SYSTEM_TRUSTED_KEYS mark<ENFORCED>
# Menu: Cryptographic API >> Hardware crypto devices
CONFIG_CRYPTO_HW policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
BugLink: https://bugs.launchpad.net/bugs/1932029 Enforce SYSTEM_TRUSTED_KEYS and SYSTEM_REVOCATION_KEYS on all architectures, including riscv64. Note that TRUSTED and REVOCATION keys files are dynamically generated and individual kernels may add/revoke certificates specific to them, as needed. But all kernels must trust & revoke a base set of certificates. Note some kernel flavours don't enherit, or don't enforce all annotation keys by default, hence enforcement of these options is required. Fixes: 503c7ca37e ("UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys") Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- debian.master/config/annotations | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)