NACK: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates
Tim Gardner
tim.gardner at canonical.com
Mon Aug 9 12:19:11 UTC 2021
On 8/5/21 8:59 AM, Dimitri John Ledkov wrote:
> In Impish, support was added to load revoked certificates from mokx
> (submitted upstream, revied, not accepted yet) into blacklist keyring.
>
> Also in Impish, from upstream, there is now support to have built-in
> revoked keys. And we have 2012 UEFI key revoked by default (as also
> revoked globally via uefi dbx update).
>
> Backport both of the above things to Hirsute, such that our kernels
> honor mokx revocations, and also have the 2012 key revoked always
> (when booted with or without working shim).
>
> This patch series was test built and tested using the revocations list
> test case that is proposed for RT ubuntu_boot test. See
> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
>
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
>
> Dimitri John Ledkov (5):
> UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
> table
> UBUNTU: SAUCE: integrity: add informational messages when revoking
> certs
> UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> certs
> UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> keys
>
> certs/blacklist.c | 3 +
> debian.master/config/annotations | 1 +
> debian.master/config/config.common.ubuntu | 2 +-
> .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
> debian/rules | 14 ++-
> .../platform_certs/keyring_handler.c | 1 +
> security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
> 7 files changed, 145 insertions(+), 36 deletions(-)
> create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>
None of the git SHA1 commit IDs appear to be valid in upstream linux or
even linux-next.
rtg
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list