NACK -> ACK/Cmnt: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates

Stefan Bader stefan.bader at canonical.com
Thu Aug 12 08:25:10 UTC 2021 

On 09.08.21 14:19, Tim Gardner wrote:
> 
> 
> On 8/5/21 8:59 AM, Dimitri John Ledkov wrote:
>> In Impish, support was added to load revoked certificates from mokx
>> (submitted upstream, revied, not accepted yet) into blacklist keyring.
>>
>> Also in Impish, from upstream, there is now support to have built-in
>> revoked keys. And we have 2012 UEFI key revoked by default (as also
>> revoked globally via uefi dbx update).
>>
>> Backport both of the above things to Hirsute, such that our kernels
>> honor mokx revocations, and also have the 2012 key revoked always
>> (when booted with or without working shim).
>>
>> This patch series was test built and tested using the revocations list
>> test case that is proposed for RT ubuntu_boot test. See
>> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
>>
>> BugLink: https://bugs.launchpad.net/bugs/1928679
>> BugLink: https://bugs.launchpad.net/bugs/1932029
>>
>> Dimitri John Ledkov (5):
>>    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>>      table
>>    UBUNTU: SAUCE: integrity: add informational messages when revoking
>>      certs
>>    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>>      certs
>>    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>>    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>>      keys
>>
>>   certs/blacklist.c                             |  3 +
>>   debian.master/config/annotations              |  1 +
>>   debian.master/config/config.common.ubuntu     |  2 +-
>>   .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
>>   debian/rules                                  | 14 ++-
>>   .../platform_certs/keyring_handler.c          |  1 +
>>   security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
>>   7 files changed, 145 insertions(+), 36 deletions(-)
>>   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>>
> 
> None of the git SHA1 commit IDs appear to be valid in upstream linux or even 
> linux-next.

This should be added upon commit but these are all things from impish:linux 
which are required by us to roll our keys. I suspect there will be similar sets 
for all series somewhen in our future.

> 
> rtg
> -----------
> Tim Gardner
> Canonical, Inc
> 
Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210812/c601bc6c/attachment.sig>

More information about the kernel-team mailing list