** Description changed: - When booting with UEFI, mokvar table and %:.platform keyring must be - available + [Impact] + + * When booting with UEFI, mokvar table and %:.platform keyring must be + available. These are required for builtin revocation certificates to be + present, shim builtin certificates to be present and thus support to + signed & verified kexec present. It also allows revocation of signed lrm + and livepatch drivers which are trusted by this kernel. + + * The kvm annotations are very minimal, v3 format, and the parent + kernel's annotations are not enforced. + + [Test Plan] + + * Check that /sys/firmware/efi/mok-variables/ is available + + * Check that %:.blacklist keyring is populated + + $ sudo keyctl list %:.blacklist + + + * Check that %:.platform keyring is populated + + $ sudo keyctl list %:.platform + + [Where problems could occur] + + * Given how small the kvm config is, it is not clear if all of lockdown + features are correctly enabled. Specifically measuring and appraising + things with integrity framework. It is possible further config changes + will be required to make kvm flavour as hardened as generic one. + + [Other Info] + + * This issue was discovered whilst working on https://bugs.launchpad.net/bugs/1928679 and https://bugs.launchpad.net/bugs/1932029
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942319 Title: When booting with UEFI, mokvar table and %:.platform keyring must be available To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1942319/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
