This bug was fixed in the package linux-signed - 4.15.0-19.20
---------------
linux-signed (4.15.0-19.20) bionic; urgency=medium
* Master version: 4.15.0-19.20
linux-signed (4.15.0-18.19+signed2) bionic; urgency=medium
* Fix dbgsym package handling to work for the case where we have a
bumped linux-signed version number.
linux-signed (4.15.0-18.19+signed1) bionic; urgency=medium
* Fix the dbgsym packages to be correctly named as .ddeb instead of .deb
so they are published to the right archive.
linux-signed (4.15.0-18.19) bionic; urgency=medium
* Master version: 4.15.0-18.19
* signing: only install a signed kernel (LP: #1764794)
- switch to raw-signing tarball form
- make control.stub master for packages built
- [Config] tone down the output verbosity
- switch to producing linux-image directly
- propogate control information from -unsigned package
- pull control files in from linux-unsigned
- resync control files with master
- introduce meta packages for the debug package
- fix names of substvars files
- propogate Recommends: and Provides: from unsigned package
- fix Section: control records
- do not produce lowlatency dbgsym package for ppc64el
- move dbgsym packages to bottom of control file
- ensure we apt-cache show against the exact version
* [18.04 FEAT] Sign POWER host/NV kernels (LP: #1696154)
- add Opal signing support and enable for ppc64el
linux-signed (4.15.0-17.18) bionic; urgency=medium
* Master version: 4.15.0-17.18
linux-signed (4.15.0-16.17) bionic; urgency=medium
* Master version: 4.15.0-16.17
-- Seth Forshee <seth.fors...@canonical.com> Sat, 21 Apr 2018 17:32:56
-0500
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1696154
Title:
[18.04 FEAT] Sign POWER host/NV kernels
Status in Launchpad itself:
Fix Released
Status in The Ubuntu-power-systems project:
Fix Committed
Status in linux package in Ubuntu:
Fix Released
Status in linux-signed package in Ubuntu:
Fix Released
Bug description:
Feature Description:
Sign POWER host and NV kernels with sign-file in anticipation of POWER
secure boot. Provide the associated certificate. Ideally it would
be possible to reuse the UEFI shim private key and certificate used to
sign and verify x86_64 kernels. More details to follow. Guest
kernels will be addressed in a future separate feature request.
Business Case:
As a system administrator I want to verify the integrity of my kernels
so that I can prevent malicious kernels from being executed.
Use Case:
Signed POWER kernels will be validated by OPAL as OpenPOWER systems
boot when keys are properly installed and the system is booted in
secure mode.
Test Case:
Sign and install a POWER kernel on an OpenPOWER machine with a
firmware level that supports secure boot. Install a PK, distro KEK
certificat, and distro DB certificate. Boot the system and verify
that it will boot the kernel. Negative tests: Separately remove the
signature, install an usigned kernel, and modify the kernel image and
test that the kernel will not boot.
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/1696154/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
