From patchwork Mon Nov 21 15:03:23 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
X-Patchwork-Id: 1707420
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=QuPh1yWU;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NG9d83vG3z23nP
	for <incoming@patchwork.ozlabs.org>; Tue, 22 Nov 2022 02:03:40 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ox8Kb-0001CU-VM; Mon, 21 Nov 2022 15:03:33 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <dimitri.ledkov@canonical.com>) id 1ox8Ka-0001Bz-9x
 for kernel-team@lists.ubuntu.com; Mon, 21 Nov 2022 15:03:32 +0000
Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com
 [209.85.128.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id E731F3F0A2
 for <kernel-team@lists.ubuntu.com>; Mon, 21 Nov 2022 15:03:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1669043011;
 bh=QNsAU5bjT4yekYPV4Cd9/uIiauRo9njcNf4C35O1jEk=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=QuPh1yWUFFSJQ4TG8KCemMq13ZhlYtpJzzZgORawcFKAt+rIO9zlLNdI9CHDmtw0h
 F7hYczZ4UKNEG4gugShCGBRGiPmd9r9iyqHx6PeaaeXZrTn7Jk3IjMQky+a7wGgQaP
 0u5X5I4G/Lzd040cQbiQ8kmZkCELip+JYQzPApafu5kj6MM4/e9KZbtI6pYsFIzd4U
 +XMwtZxz3sTWyJTQ7suamj6umk20jyj+H69quCAnZB/YQtguu9II52KmDJAcqzF4jZ
 s5tDDRG43F66IVvYYRZ185TolUG+y6pgRrPJMqX97giKShTqLShHcvTKaZF6Fw8Fyo
 ekAQ/NaM/c6fQ==
Received: by mail-wm1-f71.google.com with SMTP id
 187-20020a1c02c4000000b003d016c210f7so3413758wmc.6
 for <kernel-team@lists.ubuntu.com>; Mon, 21 Nov 2022 07:03:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=QNsAU5bjT4yekYPV4Cd9/uIiauRo9njcNf4C35O1jEk=;
 b=6+gcTa4PfZBpuU6qt/hRwGq5gxfHsvTQSl6+KsjfxwNVTWCzY7DPwuMAfKUMPw7L/u
 MfgjSjhz1lMJLKTqdrCL8YpKHWuAR/ZQnGq0P2xN+JAZKzQ9WfImx1zPOUyF4GEVEAir
 n92mE4lr2/AI+6L9snF4+UIqwg3hj0yT3J4v7l6d/ad8iUtUTfv4u5XEol0JubRnoD1j
 u4e+vgfXPbsXFDvCJ+O8A7+tgoQhLrqOdGTY+d7GNl4L3ATTvCIXyr2ufVl1kz9qk59H
 Wh6Fqz02TupWhpoOPhRb19xx1KhjEx75AiWiVh2Fd3T6ZzGTH4lUd0OAO/ZdwQZwK0Pk
 rsog==
X-Gm-Message-State: ANoB5pnnKTqM1ZaROjwuxQMxRT/FuP9N35XU4iuatWHLdFwd68WxY8yR
 gk8D48pN0Bv9zJgW/d3xslxGm+I32Rx//e36CWtxf4z4oE5PM+pK5xMv/uAGu+2w7yqVPtuV9W6
 ynoI9weirNT6jpbTHvVkFwDJXEnBiGU18B887NONjsA==
X-Received: by 2002:a5d:684d:0:b0:236:5ede:9f8e with SMTP id
 o13-20020a5d684d000000b002365ede9f8emr11777160wrw.372.1669043011181;
 Mon, 21 Nov 2022 07:03:31 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf5kh4dI49qHkVI2E9h1CoywUq7gp22h8gk/FN05n2OGBR0IlZCB6ane49PnI6px1Y1KTsdERQ==
X-Received: by 2002:a5d:684d:0:b0:236:5ede:9f8e with SMTP id
 o13-20020a5d684d000000b002365ede9f8emr11777132wrw.372.1669043010846;
 Mon, 21 Nov 2022 07:03:30 -0800 (PST)
Received: from localhost ([137.220.91.195]) by smtp.gmail.com with ESMTPSA id
 bg21-20020a05600c3c9500b003b497138093sm15626249wmb.47.2022.11.21.07.03.30
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Nov 2022 07:03:30 -0800 (PST)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [linux-meta][K][L][PATCH 1/2] UBUNTU: [Packaging] Check if EFI
 signatures are revoked at build time
Date: Mon, 21 Nov 2022 15:03:23 +0000
Message-Id: <20221121150324.1304110-2-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221121150324.1304110-1-dimitri.ledkov@canonical.com>
References: <20221121150324.1304110-1-dimitri.ledkov@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1996955

If built-in revocation certificates information is known, verify if
freshly signed EFI binaries are revoked. This prevents accidentally
publishing signed kernel packages that fail to kexec/kdump under
secureboot.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 debian/rules | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/debian/rules b/debian/rules
index 69b5e48598..d27ab822f8 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,8 @@ clean:: pre-clean
 %:
 	dh $@
 
+override_dh_auto_build: SHELL=/bin/sh -x
+
 override_dh_auto_build:
 	./download-signed "$(src_headers_arch)" "$(unsigned_ver)" "$(unsigned_src)"
 	#./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)"
@@ -54,6 +56,19 @@ override_dh_auto_build:
 		for s in *.efi.signed; do					\
 			[ ! -f "$$s" ] && continue;				\
 			base=$$(echo "$$s" | sed -e 's/.efi.signed//');		\
+			flavour=$$(echo "$$base" | sed -e "s@.*-$(abi)-@@");	\
+			verflav="$(abi)-$$flavour";				\
+			if [ -e /usr/lib/linux/$$verflav/canonical-revoked-certs.pem ]; then \
+				awk 'BEGIN {c=0;} /Certificate:/{c++} { print > "revoked-cert." c ".pem"}' < /usr/lib/linux/$$verflav/canonical-revoked-certs.pem; \
+				for cert in revoked-cert.*.pem; do		\
+					echo Checking signature against $$cert; \
+					if sbverify --verbose --verbose --cert $$cert $$s; then \
+						echo Which is bad. EFI binary signed with revoked cert $$cert; \
+						exit 1;				\
+					fi;					\
+				done;						\
+				echo All good. EFI binary not signed with a revoked key.; \
+			fi;							\
 			(							\
 				vars="$${base}.efi.vars";			\
 				[ -f "$$vars" ] && . "./$$vars";		\

From patchwork Mon Nov 21 15:03:24 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
X-Patchwork-Id: 1707421
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=Ov3HZbPB;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NG9dB5ZBFz23nP
	for <incoming@patchwork.ozlabs.org>; Tue, 22 Nov 2022 02:03:42 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1ox8Ke-0001E5-AA; Mon, 21 Nov 2022 15:03:36 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <dimitri.ledkov@canonical.com>) id 1ox8Kc-0001CT-2a
 for kernel-team@lists.ubuntu.com; Mon, 21 Nov 2022 15:03:34 +0000
Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com
 [209.85.128.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 832903F0BA
 for <kernel-team@lists.ubuntu.com>; Mon, 21 Nov 2022 15:03:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1669043013;
 bh=2FVP5PbhFzJMjcsIBQsRX4FJ1DYv9aE/4uSa9FvdE1Y=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=Ov3HZbPBoADqyavX6A94BMUtIlJhmvT+Vu/rc0xLF7ZZAdhblH61adxe/g1qU//GD
 iNL+DdVDn0TkzaSFo6dn03CGvQpDXEDvL3Kq72LUO7zW7rX40qxdJRmylegeeFaVgJ
 IcUQxdqrNqXUpP9EZNENOhlWmUjOD8pyNNz87EhqdqLm+rbbCgyo70DxVmq3FXEMWi
 k5p3d9cq2ViPsQ/DYBuzr8wOICX2gV7c8dJfkwogQw5a2lwsKTQkvm+w2PMp1PXJxM
 48n7/B41peVO3I+sAMLy0fEOW3sPja5q77+wC0NbPcKL1K3rirR235Ly8jHKTxch1O
 JiP1Q6wGp5IiA==
Received: by mail-wm1-f69.google.com with SMTP id
 i133-20020a1c3b8b000000b003cffc0a69afso7020561wma.9
 for <kernel-team@lists.ubuntu.com>; Mon, 21 Nov 2022 07:03:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=2FVP5PbhFzJMjcsIBQsRX4FJ1DYv9aE/4uSa9FvdE1Y=;
 b=kxVHxu1KWXzwyiL/Tc1GZ+0+lZnmX/v6okrZKJqfrtttgFcxq+M2milut9rASb4bQe
 XQLtXVR9Ns8HsRVAH4isneinAHzR/WM4NVNwmzA7zE7EFxdtngzG0Wpg9HGQC/OAEDnS
 8gtK4G9JGO3ZI4q45eXZ8z+K41juQIy0dqeto8EPi1ywz+pbaw+5Q7fe/NVsmwYvlrKs
 /4rABf55TdoKGt8ibMX58bhEjpGH8A/O7TPnEeH+avRlFfXlDSQ10SqEZaFy1M2qWC3L
 fXu+iCjX4heHDKgiF2eiNoleUUYnKYsCNbjGDGB+W5fO3P7zHGZQUn5qmhV74ZcOJQao
 NPTw==
X-Gm-Message-State: ANoB5pkLfMf5vZahlOgsnbJAh7DJ5QRGtBGA0fown0mJJWXB8y/q/TlE
 I6DSH/RQii8Laj2q05nAzOI5hcWewSwhSkJb0acZKAmVRIjS5vE+WfWbBugG0SZBSHYn66wNes3
 +OVbefTmOnNQYW+w4cRHFg1nR32OVD2Ied+aXA7Cs1A==
X-Received: by 2002:a05:600c:3b04:b0:3cf:6fd8:95a4 with SMTP id
 m4-20020a05600c3b0400b003cf6fd895a4mr12964479wms.73.1669043012899;
 Mon, 21 Nov 2022 07:03:32 -0800 (PST)
X-Google-Smtp-Source: 
 AA0mqf57G/4XKBOH6dRq/XvCCF/TfHE6MwYxozfqfrnhG80qgT1iP6oIyme6ARVjPecSLXFRAqVDow==
X-Received: by 2002:a05:600c:3b04:b0:3cf:6fd8:95a4 with SMTP id
 m4-20020a05600c3b0400b003cf6fd895a4mr12964443wms.73.1669043012550;
 Mon, 21 Nov 2022 07:03:32 -0800 (PST)
Received: from localhost ([137.220.91.195]) by smtp.gmail.com with ESMTPSA id
 g18-20020a5d46d2000000b00236722ebe66sm11368307wrs.75.2022.11.21.07.03.31
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Nov 2022 07:03:31 -0800 (PST)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [linux-meta][K][L][PATCH 2/2] UBUNTU: [Packaging] Add EFI signed
 flavours buildinfo build-depends
Date: Mon, 21 Nov 2022 15:03:24 +0000
Message-Id: <20221121150324.1304110-3-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221121150324.1304110-1-dimitri.ledkov@canonical.com>
References: <20221121150324.1304110-1-dimitri.ledkov@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1996955

Add build-depends on linux-buildinfo packages for all EFI signed
flavours.

This will activate revocation check, if the buildinfo package exposes
built-in revoked certicates information, see
https://bugs.launchpad.net/bugs/1996892

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 debian/control.stub | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/control.stub b/debian/control.stub
index a3c7134cf2..8b8c867761 100644
--- a/debian/control.stub
+++ b/debian/control.stub
@@ -11,6 +11,8 @@ Build-Depends-Arch:
  sbsigntool [amd64 arm64],
  HEADERS_COMMON (>= UNSIGNED_SRC_VERSION),
  HEADERS_ARCH (>= UNSIGNED_SRC_VERSION),
+ linux-buildinfo-ABI-generic [amd64 arm64],
+ linux-buildinfo-ABI-generic-64k [arm64],
 Standards-Version: 3.9.4
 
 Package: linux-image-ABI-generic