From patchwork Tue Aug 24 17:37:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1520393 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=tJ2JztHy; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GvGY86Rftz9sxS; Wed, 25 Aug 2021 03:38:19 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIaNM-0006of-KL; Tue, 24 Aug 2021 17:38:16 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIaND-0006nd-Ul for kernel-team@lists.ubuntu.com; Tue, 24 Aug 2021 17:38:07 +0000 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6BB1D40316 for ; Tue, 24 Aug 2021 17:38:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629826687; bh=H1Rl7fRuuieCHe196Y7Fcmm2NRgWX+S1YN0aZGTUUuQ=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tJ2JztHy7nw/7hTUg8i9vqNt3fMpo2mpGPHI7CSfWro2xMQF2bMcid4TZhZYK1+Ch iP6MkKAoyyF64Dc7u5dC/KVQppLDhKjkTGdC3xQuO0vgA59LbuwKDZvTYR2IHdmZt9 +cjYJ+ERx7C08jNeeL0kh/1IbsE+sbU7XupuNtpchRdwarK6yIo5Hw/3AVSszDM1nX 4b6/jIvMzPjLcRwCrLdpj8rC34ARYgFX0ZVI0eY/74YZu2nrx9S/unJN7X6InmXHP5 aspVunVJbfOgBzegH4UDKMEjbasDB32O1+/1NrUrmeQVAEwyv/BvxQPoK25TRd6vWg nQILsCXqzpf6g== Received: by mail-wm1-f71.google.com with SMTP id k5-20020a7bc3050000b02901e081f69d80so4347373wmj.8 for ; Tue, 24 Aug 2021 10:38:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H1Rl7fRuuieCHe196Y7Fcmm2NRgWX+S1YN0aZGTUUuQ=; b=WBSo5VJP6caHxTGFQGcSblpEiT7r6rqY3GZKRyzXKnNmoklrT1BWv0rKYrq6BSoJN4 XHJTL9qJVk7U4OyHz9q7ZsLglPRYQUgrPe1A/yFd/v3te+1uTaS4H5zOfqwPFCxFurKF WMqGz6G6nA81AkRB5wHhKmPKVcpiuXwvJtjJDCNHYS9V0pE693rmxEikeC5HHxPHmdg4 pR2yNsL/ul2GIkq0QE91jqbQK5YQz1k9jvC6pk/1NAYrSqwF9pH9ZBmP9xpSSYZnCPAV erYuMNR1QPAvpFvDuW23q5TUKqadC1S//GzAIbTR3o9vsKghTuuexzQs7h90KJWNwsBi 6zzg== X-Gm-Message-State: AOAM533HsLpjvSWaMv9kbv272cn+CwGL1AmwvpeM9fGa0uxWimWf+z+W Dw9SwBj5J0CYwJyJdAISaOEy2rvdJqTVSBH9lP8txI7kSuPsjy0IwETzuwgFZRHJA8CZotJLKP/ T46/UngHciGn//BJuVW1m7bJ7LoDpeKQYG3bGOSavag== X-Received: by 2002:a7b:cc14:: with SMTP id f20mr5181749wmh.137.1629826686936; Tue, 24 Aug 2021 10:38:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz98dkDsvGar1HrcYHyRsysQZAf4nTpML/d/Xs7fK/9oFpkFI6zsNGg14kNv/j9r+cuFAPJzw== X-Received: by 2002:a7b:cc14:: with SMTP id f20mr5181729wmh.137.1629826686728; Tue, 24 Aug 2021 10:38:06 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:469a:da94:5a78:4b2c]) by smtp.gmail.com with ESMTPSA id q10sm2854286wmq.12.2021.08.24.10.38.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Aug 2021 10:38:06 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [IMPISH][PATCH] UBUNTU: [Config] Enforce SYSTEM_TRUSTED_KEYS and SYSTEM_REVOCATION_KEYS Date: Tue, 24 Aug 2021 18:37:59 +0100 Message-Id: <20210824173759.64847-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210824173759.64847-1-dimitri.ledkov@canonical.com> References: <20210824173759.64847-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Enforce SYSTEM_TRUSTED_KEYS and SYSTEM_REVOCATION_KEYS on all architectures, including riscv64. Note that TRUSTED and REVOCATION keys files are dynamically generated and individual kernels may add/revoke certificates specific to them, as needed. But all kernels must trust & revoke a base set of certificates. Note some kernel flavours don't enherit, or don't enforce all annotation keys by default, hence enforcement of these options is required. Fixes: 741f622c4d ("UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys") Signed-off-by: Dimitri John Ledkov --- debian.master/config/annotations | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index c0b76a4636..600cf79097 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -363,11 +363,14 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING mark # Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> -CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> +CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 'riscv64': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}> -CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 'riscv64': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> +# +CONFIG_SYSTEM_TRUSTED_KEYS mark +CONFIG_SYSTEM_REVOCATION_KEYS mark # Menu: Cryptographic API >> Hardware crypto devices CONFIG_CRYPTO_HW policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>