Message ID | 20210805145949.133895-1-dimitri.ledkov@canonical.com |
---|---|
Headers | show |
Series | Built-in Revocation certificates | expand |
On 8/5/21 8:59 AM, Dimitri John Ledkov wrote: > In Impish, support was added to load revoked certificates from mokx > (submitted upstream, revied, not accepted yet) into blacklist keyring. > > Also in Impish, from upstream, there is now support to have built-in > revoked keys. And we have 2012 UEFI key revoked by default (as also > revoked globally via uefi dbx update). > > Backport both of the above things to Hirsute, such that our kernels > honor mokx revocations, and also have the 2012 key revoked always > (when booted with or without working shim). > > This patch series was test built and tested using the revocations list > test case that is proposed for RT ubuntu_boot test. See > https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html > > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Dimitri John Ledkov (5): > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > certs/blacklist.c | 3 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ > debian/rules | 14 ++- > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 74 ++++++++-------- > 7 files changed, 145 insertions(+), 36 deletions(-) > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > None of the git SHA1 commit IDs appear to be valid in upstream linux or even linux-next. rtg ----------- Tim Gardner Canonical, Inc
On 09.08.21 14:19, Tim Gardner wrote: > > > On 8/5/21 8:59 AM, Dimitri John Ledkov wrote: >> In Impish, support was added to load revoked certificates from mokx >> (submitted upstream, revied, not accepted yet) into blacklist keyring. >> >> Also in Impish, from upstream, there is now support to have built-in >> revoked keys. And we have 2012 UEFI key revoked by default (as also >> revoked globally via uefi dbx update). >> >> Backport both of the above things to Hirsute, such that our kernels >> honor mokx revocations, and also have the 2012 key revoked always >> (when booted with or without working shim). >> >> This patch series was test built and tested using the revocations list >> test case that is proposed for RT ubuntu_boot test. See >> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html >> >> BugLink: https://bugs.launchpad.net/bugs/1928679 >> BugLink: https://bugs.launchpad.net/bugs/1932029 >> >> Dimitri John Ledkov (5): >> UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config >> table >> UBUNTU: SAUCE: integrity: add informational messages when revoking >> certs >> UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch >> certs >> UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in >> UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked >> keys >> >> certs/blacklist.c | 3 + >> debian.master/config/annotations | 1 + >> debian.master/config/config.common.ubuntu | 2 +- >> .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ >> debian/rules | 14 ++- >> .../platform_certs/keyring_handler.c | 1 + >> security/integrity/platform_certs/load_uefi.c | 74 ++++++++-------- >> 7 files changed, 145 insertions(+), 36 deletions(-) >> create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem >> > > None of the git SHA1 commit IDs appear to be valid in upstream linux or even > linux-next. This should be added upon commit but these are all things from impish:linux which are required by us to roll our keys. I suspect there will be similar sets for all series somewhen in our future. > > rtg > ----------- > Tim Gardner > Canonical, Inc > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Thu, Aug 12, 2021 at 10:25:10AM +0200, Stefan Bader wrote: > On 09.08.21 14:19, Tim Gardner wrote: > > > > None of the git SHA1 commit IDs appear to be valid in upstream linux or > > even linux-next. > > This should be added upon commit but these are all things from impish:linux > which are required by us to roll our keys. I suspect there will be similar > sets for all series somewhen in our future. Agreed. We need all of our live kernels to have this support before we can rotate our primary keys without exploding the EFI revocation lists. The sha1s are mostly useless in this context as backports from newer kernels but benign. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On Mon, Aug 9, 2021 at 1:19 PM Tim Gardner <tim.gardner@canonical.com> wrote: > > > > On 8/5/21 8:59 AM, Dimitri John Ledkov wrote: > > In Impish, support was added to load revoked certificates from mokx > > (submitted upstream, revied, not accepted yet) into blacklist keyring. > > Note mentioning that SAUCE patches have not been accepted upstream anywhere. > > Also in Impish, from upstream, there is now support to have built-in > > revoked keys. And we have 2012 UEFI key revoked by default (as also > > revoked globally via uefi dbx update). > > > > Backport both of the above things to Hirsute, such that our kernels > > honor mokx revocations, and also have the 2012 key revoked always > > (when booted with or without working shim). > > > > This patch series was test built and tested using the revocations list > > test case that is proposed for RT ubuntu_boot test. See > > https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html > > > > BugLink: https://bugs.launchpad.net/bugs/1928679 > > BugLink: https://bugs.launchpad.net/bugs/1932029 > > > > Dimitri John Ledkov (5): > > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > > table > > UBUNTU: SAUCE: integrity: add informational messages when revoking > > certs > > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > > certs > > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > > keys > > > > certs/blacklist.c | 3 + > > debian.master/config/annotations | 1 + > > debian.master/config/config.common.ubuntu | 2 +- > > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ > > debian/rules | 14 ++- > > .../platform_certs/keyring_handler.c | 1 + > > security/integrity/platform_certs/load_uefi.c | 74 ++++++++-------- > > 7 files changed, 145 insertions(+), 36 deletions(-) > > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > > > None of the git SHA1 commit IDs appear to be valid in upstream linux or > even linux-next. > > rtg That is why they still have the SAUCE title, and point at commits from impish series. They have been submitted upstream, but they are not getting reviewed / applied for a long time now. I suspect it is mostly because Debian already carries an equivalent patch (for mok config table) and all other distros are unaffected (they don't use CA inside shim) / don't care (to allow users to self revoke many signing certificates). I thought I made this clear in the opening paragraph of the cover letter. (albeit there is a typpo "revied" => "reviewed"). The git-sha reference will become meaningless once the unstable kernel is rebased onto v5.14, but it will be valid whilst impish kernels are still in use. I was not sure how to best indicate that these patches have already been through review to get into impish kernel.
On 8/12/21 3:04 AM, Dimitri John Ledkov wrote: > On Mon, Aug 9, 2021 at 1:19 PM Tim Gardner <tim.gardner@canonical.com> wrote: >> >> >> >> On 8/5/21 8:59 AM, Dimitri John Ledkov wrote: >>> In Impish, support was added to load revoked certificates from mokx >>> (submitted upstream, revied, not accepted yet) into blacklist keyring. >>> > > Note mentioning that SAUCE patches have not been accepted upstream anywhere. > >>> Also in Impish, from upstream, there is now support to have built-in >>> revoked keys. And we have 2012 UEFI key revoked by default (as also >>> revoked globally via uefi dbx update). >>> >>> Backport both of the above things to Hirsute, such that our kernels >>> honor mokx revocations, and also have the 2012 key revoked always >>> (when booted with or without working shim). >>> >>> This patch series was test built and tested using the revocations list >>> test case that is proposed for RT ubuntu_boot test. See >>> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html >>> >>> BugLink: https://bugs.launchpad.net/bugs/1928679 >>> BugLink: https://bugs.launchpad.net/bugs/1932029 >>> >>> Dimitri John Ledkov (5): >>> UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config >>> table >>> UBUNTU: SAUCE: integrity: add informational messages when revoking >>> certs >>> UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch >>> certs >>> UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in >>> UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked >>> keys >>> >>> certs/blacklist.c | 3 + >>> debian.master/config/annotations | 1 + >>> debian.master/config/config.common.ubuntu | 2 +- >>> .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ >>> debian/rules | 14 ++- >>> .../platform_certs/keyring_handler.c | 1 + >>> security/integrity/platform_certs/load_uefi.c | 74 ++++++++-------- >>> 7 files changed, 145 insertions(+), 36 deletions(-) >>> create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem >>> >> >> None of the git SHA1 commit IDs appear to be valid in upstream linux or >> even linux-next. >> >> rtg > > That is why they still have the SAUCE title, and point at commits from > impish series. They have been submitted upstream, but they are not > getting reviewed / applied for a long time now. I suspect it is mostly > because Debian already carries an equivalent patch (for mok config > table) and all other distros are unaffected (they don't use CA inside > shim) / don't care (to allow users to self revoke many signing > certificates). > > I thought I made this clear in the opening paragraph of the cover > letter. (albeit there is a typpo "revied" => "reviewed"). The git-sha > reference will become meaningless once the unstable kernel is rebased > onto v5.14, but it will be valid whilst impish kernels are still in > use. > > I was not sure how to best indicate that these patches have already > been through review to get into impish kernel. > You are correct. I don't know what I was thinking. Perhaps I was short on coffee. rtg ----------- Tim Gardner Canonical, Inc
Applied to Hirsute master-next with extra note that SHA1 is from Impish. Thank you! -Kelsey On 2021-08-05 15:59:44 , Dimitri John Ledkov wrote: > In Impish, support was added to load revoked certificates from mokx > (submitted upstream, revied, not accepted yet) into blacklist keyring. > > Also in Impish, from upstream, there is now support to have built-in > revoked keys. And we have 2012 UEFI key revoked by default (as also > revoked globally via uefi dbx update). > > Backport both of the above things to Hirsute, such that our kernels > honor mokx revocations, and also have the 2012 key revoked always > (when booted with or without working shim). > > This patch series was test built and tested using the revocations list > test case that is proposed for RT ubuntu_boot test. See > https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html > > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Dimitri John Ledkov (5): > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > certs/blacklist.c | 3 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 +- > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ > debian/rules | 14 ++- > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 74 ++++++++-------- > 7 files changed, 145 insertions(+), 36 deletions(-) > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > -- > 2.30.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team