[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images

Thu, 11 May 2023 06:36:11 -0700 

There's no specific log to share, I've downloaded the kconfig for the
kvm flavour from the linux-
buildinfo-6.2.0-1003-kvm_6.2.0-1003.3_amd64.deb package, extracted
usr/lib/linux/6.2.0-1003-kvm/config and checked for these kconfigs, and
they are not present:

$ grep DM_VERITY config
# CONFIG_DM_VERITY is not set
$ grep IMA_ARCH config
$

** Changed in: linux (Ubuntu)
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2019040

Title:
  linux-*: please enable dm-verity kconfigs to allow MoK/db verified
  root images

Status in linux package in Ubuntu:
  In Progress
Status in linux-meta-azure package in Ubuntu:
  Invalid
Status in linux-meta-kvm package in Ubuntu:
  Invalid
Status in linux source package in Jammy:
  In Progress
Status in linux-meta-azure source package in Jammy:
  New
Status in linux-meta-kvm source package in Jammy:
  New
Status in linux source package in Kinetic:
  New
Status in linux-meta-azure source package in Kinetic:
  New
Status in linux-meta-kvm source package in Kinetic:
  New
Status in linux source package in Lunar:
  New
Status in linux-meta-azure source package in Lunar:
  New
Status in linux-meta-kvm source package in Lunar:
  New
Status in linux source package in Mantic:
  In Progress
Status in linux-meta-azure source package in Mantic:
  Invalid
Status in linux-meta-kvm source package in Mantic:
  Invalid

Bug description:
  The kvm flavours currently do not enable dm-verity. This stops us from
  using integrity protected and verified images in VMs using this kernel
  flavour.

  Please consider enabling the following kconfigs:

  CONFIG_DM_VERITY
  CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
  CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
  CONFIG_IMA_ARCH_POLICY

  (The latter is needed to ensure that MoK keys can be used to verify
  dm-verity images too, via the machine keyring linked to the secondary
  keyring)

  These are already enabled in the 'main' kernel config, and in other
  distros.

  As a specific and explicit use case, in the systemd project we want to
  test functionality provided by systemd that needs these kconfigs on
  Ubuntu machines running the kvm flavour kernel.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to