** Also affects: linux-kvm (Ubuntu Impish)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/1942319
Title:
When booting with UEFI, mokvar table and %:.platform keyring must be
available
Status in linux-kvm package in Ubuntu:
New
Status in linux-kvm source package in Impish:
New
Bug description:
[Impact]
* When booting with UEFI, mokvar table and %:.platform keyring must
be available. These are required for builtin revocation certificates
to be present, shim builtin certificates to be present and thus
support to signed & verified kexec present. It also allows revocation
of signed lrm and livepatch drivers which are trusted by this kernel.
* The kvm annotations are very minimal, v3 format, and the parent
kernel's annotations are not enforced.
[Test Plan]
* Check that /sys/firmware/efi/mok-variables/ is available
* Check that %:.blacklist keyring is populated
$ sudo keyctl list %:.blacklist
* Check that %:.platform keyring is populated
$ sudo keyctl list %:.platform
[Where problems could occur]
* Given how small the kvm config is, it is not clear if all of
lockdown features are correctly enabled. Specifically measuring and
appraising things with integrity framework. It is possible further
config changes will be required to make kvm flavour as hardened as
generic one.
[Other Info]
* This issue was discovered whilst working on
https://bugs.launchpad.net/bugs/1928679 and
https://bugs.launchpad.net/bugs/1932029
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
