[HIRSUTE][PATCH 0/5] Built-in Revocation certificates
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Thu Aug 5 14:59:44 UTC 2021
In Impish, support was added to load revoked certificates from mokx
(submitted upstream, revied, not accepted yet) into blacklist keyring.
Also in Impish, from upstream, there is now support to have built-in
revoked keys. And we have 2012 UEFI key revoked by default (as also
revoked globally via uefi dbx update).
Backport both of the above things to Hirsute, such that our kernels
honor mokx revocations, and also have the 2012 key revoked always
(when booted with or without working shim).
This patch series was test built and tested using the revocations list
test case that is proposed for RT ubuntu_boot test. See
https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029
Dimitri John Ledkov (5):
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
table
UBUNTU: SAUCE: integrity: add informational messages when revoking
certs
UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
certs
UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
keys
certs/blacklist.c | 3 +
debian.master/config/annotations | 1 +
debian.master/config/config.common.ubuntu | 2 +-
.../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
debian/rules | 14 ++-
.../platform_certs/keyring_handler.c | 1 +
security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
7 files changed, 145 insertions(+), 36 deletions(-)
create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
--
2.30.2
More information about the kernel-team
mailing list