** Changed in: linux (Ubuntu Mantic)
Status: In Progress => Fix Committed
** Changed in: linux-kvm (Ubuntu Mantic)
Status: In Progress => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/2019040
Title:
linux-*: please enable dm-verity kconfigs to allow MoK/db verified
root images
Status in linux package in Ubuntu:
Fix Committed
Status in linux-kvm package in Ubuntu:
Invalid
Status in linux-meta-azure package in Ubuntu:
Invalid
Status in linux-meta-kvm package in Ubuntu:
Invalid
Status in linux source package in Jammy:
Fix Released
Status in linux-kvm source package in Jammy:
Fix Released
Status in linux-meta-azure source package in Jammy:
Invalid
Status in linux-meta-kvm source package in Jammy:
New
Status in linux source package in Kinetic:
Fix Committed
Status in linux-kvm source package in Kinetic:
In Progress
Status in linux-meta-azure source package in Kinetic:
Invalid
Status in linux-meta-kvm source package in Kinetic:
New
Status in linux source package in Lunar:
Fix Released
Status in linux-kvm source package in Lunar:
Fix Released
Status in linux-meta-azure source package in Lunar:
New
Status in linux-meta-kvm source package in Lunar:
New
Status in linux source package in Mantic:
Fix Committed
Status in linux-kvm source package in Mantic:
Invalid
Status in linux-meta-azure source package in Mantic:
Invalid
Status in linux-meta-kvm source package in Mantic:
Invalid
Bug description:
SRU Justification
[Impact]
The kvm flavours currently do not enable dm-verity. This stops us from
using integrity protected and verified images in VMs using this kernel
flavour.
[Fix]
Please consider enabling the following kconfigs:
CONFIG_DM_VERITY
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING
CONFIG_INTEGRITY_MACHINE_KEYRING
CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring
implementation is patched to skip the check enabled by this kconfig)
(The latter two are needed to ensure that MoK keys can be used to
verify dm-verity images too, via the machine keyring linked to the
secondary keyring)
These are already enabled in the 'main' kernel config, and in other
distros.
As a specific and explicit use case, in the systemd project we want to
test functionality provided by systemd that needs these kconfigs on
Ubuntu machines running the kvm flavour kernel.
To verify whether this works, add a certificate to MOK, boot and check
the content of the secondary keyring. The machine keyring should show
up under it, and it should show the certificates loaded in MOK. E.g.:
$ sudo keyctl show %:.secondary_trusted_keys
Keyring
159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys
88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys
889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA:
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot
Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f
541326986 ---lswrv 0 0 \_ keyring: .machine
188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA:
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot
Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479
[Regression Potential]
MOK keys may not be correctly read.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
