From patchwork Fri Dec 16 12:23:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1716492 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=rvQYG88u; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NYSvl4Nj6z23yr for ; Fri, 16 Dec 2022 23:24:18 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1p69kx-0004ZI-Ey; Fri, 16 Dec 2022 12:24:03 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1p69kv-0004ZA-OS for kernel-team@lists.ubuntu.com; Fri, 16 Dec 2022 12:24:01 +0000 Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com [209.85.167.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 8F84B41541 for ; Fri, 16 Dec 2022 12:24:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1671193441; bh=Ghp/4+HEMhX5q71EVPWX97NWPRC0tETMDWrZtNZTKTc=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=rvQYG88uClpWfE26FCKWV2y6htGlWiKukb5+/JUE+g1SJbNp9EAYxB9ugcFRu2fPi liNbJedFkAJWZqAgx4Mq8EK/CSSYqqyECuPgqJzDIealgPLYorhdJYb6fPayxu7XGI noOFXuCWIiEA5RkjlLpuoJRngj/LQnzNP1qH85MiW6N+C2Fx0xdErLx7kAJa0NT1QE 8VJjsHtvNmJrJ2Sw8Zc/YBluIn5p+Qj9FdRfGN//tL1FJyeT2fx9CUmfxVQ9hGlRTn CURlmM1X8s6/gRiX0tnp7A1qkIrtmwQAhadZw+FSfz3xMafALLtEe/DAaUZR2At1CP 417n+tkAWI+TQ== Received: by mail-oi1-f200.google.com with SMTP id x203-20020acae0d4000000b0035a623fce1aso665157oig.10 for ; Fri, 16 Dec 2022 04:24:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ghp/4+HEMhX5q71EVPWX97NWPRC0tETMDWrZtNZTKTc=; b=K/OPe0gBy9GqGwPrSyRi5Zc00rsfXIqF4VJEgpvz4WTzFu5nMM4Hyq20fJ123n/vQ9 hH1JTdLKJR8VRL6MT1Tmaqki1GIyG9lw8vlpiv+b4tod3VirsK0cJyxMdsAlEHp7h0Wf iFIU37Fb1x/ido07gWsN0XgaIgRpuSY7ZmtY69F1SqTgesXGCdwKdwElPV0pmmLzInPX Iy1lO8rniknegp9cTUsKe3yxIJlzLoTjJd0VJGBV3szC1tZLxuDizTrmGk6dJKmH5rZg iDfqWg1210ebpRA0PJjVJUhAdzZXE/H6M0Yg/UBhIDDgNUOhi696HOoAaGIXAeMRpnop ecPw== X-Gm-Message-State: ANoB5pnXjBOUSCtZ8vglIv3mkPdSpscQa0k0gKGQ9/NzLKMnqtVZzYuj FKIswP8Fq+4lYcnPeq2+fSScBtDB54vNqvRXxKOfm7Lu3EMsExzYx1CgIPv4PmPKf5dBcBszCkH sF3ycVkLBgKL9pwigK3/pT46bB9T9yyyeeUIUI9eU0A== X-Received: by 2002:a05:6871:a1:b0:142:d7f2:ef07 with SMTP id u33-20020a05687100a100b00142d7f2ef07mr15602501oaa.2.1671193439889; Fri, 16 Dec 2022 04:23:59 -0800 (PST) X-Google-Smtp-Source: AA0mqf4jYe/z/XqSZSU2avOQskspMxxVSFYjTwnTFqVLnIpHUVW2gETKxDgQaf3i3IEHUlnSPai1zA== X-Received: by 2002:a05:6871:a1:b0:142:d7f2:ef07 with SMTP id u33-20020a05687100a100b00142d7f2ef07mr15602490oaa.2.1671193439526; Fri, 16 Dec 2022 04:23:59 -0800 (PST) Received: from localhost ([2001:67c:1562:8007::aac:415c]) by smtp.gmail.com with ESMTPSA id y29-20020a056870459d00b0011d02a3fa63sm862322oao.14.2022.12.16.04.23.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Dec 2022 04:23:58 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [focal..unstable][linux-signed-*][PATCH v2] UBUNTU: [Packaging] Check if EFI signatures are revoked at build time Date: Fri, 16 Dec 2022 12:23:51 +0000 Message-Id: <20221216122351.661206-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1996955 If built-in revocation certificates information is known, verify if freshly signed EFI binaries are revoked. This prevents accidentally publishing signed kernel packages that fail to kexec/kdump under secureboot. Signed-off-by: Dimitri John Ledkov --- This patch should be applied to all linux-signed* packages, in all series from focal to lunalr/unstable, for all UEFI signed derivatives. It does seem to apply unmodified at least on focal-lunar:linux-signed. Thus if approved, I can automate applying this using cranky fix and pushing it for everybody. I understand that not everyone calls cranky fix on the signed packages, hence it's probably best for a single person to handle this patch application. This patch by-itself will not start doing the validation, as separately, a unique build-dependency on the buildinfo package needs to be added as well. Will submit that separately. Changes since v1: - split the debian/rules change submission into a standalone one. - expand the scope of signed packages that need this patch applied. debian/rules | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/rules b/debian/rules index 69b5e48598..d27ab822f8 100755 --- a/debian/rules +++ b/debian/rules @@ -45,6 +45,8 @@ clean:: pre-clean %: dh $@ +override_dh_auto_build: SHELL=/bin/sh -x + override_dh_auto_build: ./download-signed "$(src_headers_arch)" "$(unsigned_ver)" "$(unsigned_src)" #./download-unsigned "$(DEB_HOST_ARCH)" "$(unsigned_ver)" @@ -54,6 +56,19 @@ override_dh_auto_build: for s in *.efi.signed; do \ [ ! -f "$$s" ] && continue; \ base=$$(echo "$$s" | sed -e 's/.efi.signed//'); \ + flavour=$$(echo "$$base" | sed -e "s@.*-$(abi)-@@"); \ + verflav="$(abi)-$$flavour"; \ + if [ -e /usr/lib/linux/$$verflav/canonical-revoked-certs.pem ]; then \ + awk 'BEGIN {c=0;} /Certificate:/{c++} { print > "revoked-cert." c ".pem"}' < /usr/lib/linux/$$verflav/canonical-revoked-certs.pem; \ + for cert in revoked-cert.*.pem; do \ + echo Checking signature against $$cert; \ + if sbverify --verbose --verbose --cert $$cert $$s; then \ + echo Which is bad. EFI binary signed with revoked cert $$cert; \ + exit 1; \ + fi; \ + done; \ + echo All good. EFI binary not signed with a revoked key.; \ + fi; \ ( \ vars="$${base}.efi.vars"; \ [ -f "$$vars" ] && . "./$$vars"; \