| Message ID | 20211005111402.70024-2-dimitri.ledkov@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | UBUNTU: [Config] Enable Trusted, Platform, Secondary Keyrings | expand |
On 05.10.21 13:14, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1942319 > > Enable keyrings required to support Platform, Built-in Trusted, > Secondary, Revoked keys and hashes. > > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > debian.kvm/config/annotations | 5 +++++ > debian.kvm/config/config.common.ubuntu | 18 ++++++++++++++---- > 2 files changed, 19 insertions(+), 4 deletions(-) > > diff --git a/debian.kvm/config/annotations b/debian.kvm/config/annotations > index a0de0feb0e..10c963254d 100644 > --- a/debian.kvm/config/annotations > +++ b/debian.kvm/config/annotations > @@ -8,6 +8,11 @@ CONFIG_MODVERSIONS mark<ENFORCED> note<LP: #1898716> > CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"'}> > CONFIG_SYSTEM_TRUSTED_KEYS mark<ENFORCED> note<LP: #1898716> > > +CONFIG_LOAD_UEFI_KEYS policy<{'amd64': 'y'}> > +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"'}> > +CONFIG_LOAD_UEFI_KEYS mark<ENFORCED> note<LP: #1942319> > +CONFIG_SYSTEM_REVOCATION_KEYS mark<ENFORCED> note<LP: #1942319> > + > CONFIG_BLK_DEV_RAM policy<{'amd64': 'm'}> > CONFIG_BLK_DEV_RAM mark<ENFORCED> note<LP: #1873809> > > diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu > index d7f55812d6..a06bc85299 100644 > --- a/debian.kvm/config/config.common.ubuntu > +++ b/debian.kvm/config/config.common.ubuntu > @@ -1230,6 +1230,7 @@ CONFIG_IA32_FEAT_CTL=y > CONFIG_IKHEADERS=m > CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 > # CONFIG_IMA is not set > +# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set > # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set > CONFIG_INET=y > CONFIG_INET6_AH=m > @@ -1282,8 +1283,11 @@ CONFIG_INPUT_EVDEV=y > CONFIG_INSTRUCTION_DECODER=y > # CONFIG_INT340X_THERMAL is not set > CONFIG_INTEGRITY=y > +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y > CONFIG_INTEGRITY_AUDIT=y > -# CONFIG_INTEGRITY_SIGNATURE is not set > +CONFIG_INTEGRITY_PLATFORM_KEYRING=y > +CONFIG_INTEGRITY_SIGNATURE=y > +CONFIG_INTEGRITY_TRUSTED_KEYRING=y > CONFIG_INTEL_IDLE=y > # CONFIG_INTEL_ISH_HID is not set > # CONFIG_INTEL_MEI is not set > @@ -1454,6 +1458,7 @@ CONFIG_KERNEL_LZ4=y > # CONFIG_KERNEL_ZSTD is not set > CONFIG_KERNFS=y > CONFIG_KEXEC=y > +# CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not set > CONFIG_KEXEC_CORE=y > CONFIG_KEXEC_FILE=y > CONFIG_KEXEC_SIG=y > @@ -1498,6 +1503,7 @@ CONFIG_LIBNVDIMM=y > CONFIG_LLC=y > # CONFIG_LLC2 is not set > CONFIG_LLD_VERSION=0 > +CONFIG_LOAD_UEFI_KEYS=y > CONFIG_LOCALVERSION="" > # CONFIG_LOCALVERSION_AUTO is not set > CONFIG_LOCKD=m > @@ -2431,7 +2437,7 @@ CONFIG_SCSI_VIRTIO=y > CONFIG_SECCOMP=y > # CONFIG_SECCOMP_CACHE_DEBUG is not set > CONFIG_SECCOMP_FILTER=y > -# CONFIG_SECONDARY_TRUSTED_KEYRING is not set > +CONFIG_SECONDARY_TRUSTED_KEYRING=y > CONFIG_SECTION_MISMATCH_WARN_ONLY=y > CONFIG_SECURITY=y > CONFIG_SECURITYFS=y > @@ -2510,7 +2516,8 @@ CONFIG_SHIFT_FS_POSIX_ACL=y > CONFIG_SHMEM=y > CONFIG_SHUFFLE_PAGE_ALLOCATOR=y > CONFIG_SIGNALFD=y > -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set > +CONFIG_SIGNATURE=y > +CONFIG_SIGNED_PE_FILE_VERIFICATION=y > # CONFIG_SIOX is not set > CONFIG_SKB_EXTENSIONS=y > # CONFIG_SLAB is not set > @@ -2599,10 +2606,13 @@ CONFIG_SYSCTL_EXCEPTION_TRACE=y > CONFIG_SYSFS=y > # CONFIG_SYSFS_DEPRECATED is not set > # CONFIG_SYSFS_SYSCALL is not set > -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set > +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" > +CONFIG_SYSTEM_BLACKLIST_KEYRING=y > CONFIG_SYSTEM_DATA_VERIFICATION=y > CONFIG_SYSTEM_EXTRA_CERTIFICATE=y > CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 > +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" > +CONFIG_SYSTEM_REVOCATION_LIST=y > CONFIG_SYSTEM_TRUSTED_KEYRING=y > CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" > CONFIG_SYSVIPC=y >
diff --git a/debian.kvm/config/annotations b/debian.kvm/config/annotations index a0de0feb0e..10c963254d 100644 --- a/debian.kvm/config/annotations +++ b/debian.kvm/config/annotations @@ -8,6 +8,11 @@ CONFIG_MODVERSIONS mark<ENFORCED> note<LP: #1898716> CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_TRUSTED_KEYS mark<ENFORCED> note<LP: #1898716> +CONFIG_LOAD_UEFI_KEYS policy<{'amd64': 'y'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"'}> +CONFIG_LOAD_UEFI_KEYS mark<ENFORCED> note<LP: #1942319> +CONFIG_SYSTEM_REVOCATION_KEYS mark<ENFORCED> note<LP: #1942319> + CONFIG_BLK_DEV_RAM policy<{'amd64': 'm'}> CONFIG_BLK_DEV_RAM mark<ENFORCED> note<LP: #1873809> diff --git a/debian.kvm/config/config.common.ubuntu b/debian.kvm/config/config.common.ubuntu index d7f55812d6..a06bc85299 100644 --- a/debian.kvm/config/config.common.ubuntu +++ b/debian.kvm/config/config.common.ubuntu @@ -1230,6 +1230,7 @@ CONFIG_IA32_FEAT_CTL=y CONFIG_IKHEADERS=m CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000 # CONFIG_IMA is not set +# CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not set # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set CONFIG_INET=y CONFIG_INET6_AH=m @@ -1282,8 +1283,11 @@ CONFIG_INPUT_EVDEV=y CONFIG_INSTRUCTION_DECODER=y # CONFIG_INT340X_THERMAL is not set CONFIG_INTEGRITY=y +CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_SIGNATURE is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y +CONFIG_INTEGRITY_SIGNATURE=y +CONFIG_INTEGRITY_TRUSTED_KEYRING=y CONFIG_INTEL_IDLE=y # CONFIG_INTEL_ISH_HID is not set # CONFIG_INTEL_MEI is not set @@ -1454,6 +1458,7 @@ CONFIG_KERNEL_LZ4=y # CONFIG_KERNEL_ZSTD is not set CONFIG_KERNFS=y CONFIG_KEXEC=y +# CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not set CONFIG_KEXEC_CORE=y CONFIG_KEXEC_FILE=y CONFIG_KEXEC_SIG=y @@ -1498,6 +1503,7 @@ CONFIG_LIBNVDIMM=y CONFIG_LLC=y # CONFIG_LLC2 is not set CONFIG_LLD_VERSION=0 +CONFIG_LOAD_UEFI_KEYS=y CONFIG_LOCALVERSION="" # CONFIG_LOCALVERSION_AUTO is not set CONFIG_LOCKD=m @@ -2431,7 +2437,7 @@ CONFIG_SCSI_VIRTIO=y CONFIG_SECCOMP=y # CONFIG_SECCOMP_CACHE_DEBUG is not set CONFIG_SECCOMP_FILTER=y -# CONFIG_SECONDARY_TRUSTED_KEYRING is not set +CONFIG_SECONDARY_TRUSTED_KEYRING=y CONFIG_SECTION_MISMATCH_WARN_ONLY=y CONFIG_SECURITY=y CONFIG_SECURITYFS=y @@ -2510,7 +2516,8 @@ CONFIG_SHIFT_FS_POSIX_ACL=y CONFIG_SHMEM=y CONFIG_SHUFFLE_PAGE_ALLOCATOR=y CONFIG_SIGNALFD=y -# CONFIG_SIGNED_PE_FILE_VERIFICATION is not set +CONFIG_SIGNATURE=y +CONFIG_SIGNED_PE_FILE_VERIFICATION=y # CONFIG_SIOX is not set CONFIG_SKB_EXTENSIONS=y # CONFIG_SLAB is not set @@ -2599,10 +2606,13 @@ CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_SYSFS=y # CONFIG_SYSFS_DEPRECATED is not set # CONFIG_SYSFS_SYSCALL is not set -# CONFIG_SYSTEM_BLACKLIST_KEYRING is not set +CONFIG_SYSTEM_BLACKLIST_HASH_LIST="" +CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y
BugLink: https://bugs.launchpad.net/bugs/1942319 Enable keyrings required to support Platform, Built-in Trusted, Secondary, Revoked keys and hashes. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- debian.kvm/config/annotations | 5 +++++ debian.kvm/config/config.common.ubuntu | 18 ++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-)