[HIRSUTE][PATCH 0/5] Built-in Revocation certificates

Dimitri John Ledkov dimitri.ledkov at canonical.com
Thu Aug 5 14:59:44 UTC 2021

In Impish, support was added to load revoked certificates from mokx
(submitted upstream, revied, not accepted yet) into blacklist keyring.

Also in Impish, from upstream, there is now support to have built-in
revoked keys. And we have 2012 UEFI key revoked by default (as also
revoked globally via uefi dbx update).

Backport both of the above things to Hirsute, such that our kernels
honor mokx revocations, and also have the 2012 key revoked always
(when booted with or without working shim).

This patch series was test built and tested using the revocations list
test case that is proposed for RT ubuntu_boot test. See

BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029

Dimitri John Ledkov (5):
  UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
  UBUNTU: SAUCE: integrity: add informational messages when revoking
  UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
  UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked

 certs/blacklist.c                             |  3 +
 debian.master/config/annotations              |  1 +
 debian.master/config/config.common.ubuntu     |  2 +-
 .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
 debian/rules                                  | 14 ++-
 .../platform_certs/keyring_handler.c          |  1 +
 security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
 7 files changed, 145 insertions(+), 36 deletions(-)
 create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem


More information about the kernel-team mailing list