NACK: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates

Tim Gardner tim.gardner at canonical.com
Thu Aug 12 11:33:35 UTC 2021 


On 8/12/21 3:04 AM, Dimitri John Ledkov wrote:
> On Mon, Aug 9, 2021 at 1:19 PM Tim Gardner <tim.gardner at canonical.com> wrote:
>>
>>
>>
>> On 8/5/21 8:59 AM, Dimitri John Ledkov wrote:
>>> In Impish, support was added to load revoked certificates from mokx
>>> (submitted upstream, revied, not accepted yet) into blacklist keyring.
>>>
> 
> Note mentioning that SAUCE patches have not been accepted upstream anywhere.
> 
>>> Also in Impish, from upstream, there is now support to have built-in
>>> revoked keys. And we have 2012 UEFI key revoked by default (as also
>>> revoked globally via uefi dbx update).
>>>
>>> Backport both of the above things to Hirsute, such that our kernels
>>> honor mokx revocations, and also have the 2012 key revoked always
>>> (when booted with or without working shim).
>>>
>>> This patch series was test built and tested using the revocations list
>>> test case that is proposed for RT ubuntu_boot test. See
>>> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
>>>
>>> BugLink: https://bugs.launchpad.net/bugs/1928679
>>> BugLink: https://bugs.launchpad.net/bugs/1932029
>>>
>>> Dimitri John Ledkov (5):
>>>     UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>>>       table
>>>     UBUNTU: SAUCE: integrity: add informational messages when revoking
>>>       certs
>>>     UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>>>       certs
>>>     UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>>>     UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>>>       keys
>>>
>>>    certs/blacklist.c                             |  3 +
>>>    debian.master/config/annotations              |  1 +
>>>    debian.master/config/config.common.ubuntu     |  2 +-
>>>    .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
>>>    debian/rules                                  | 14 ++-
>>>    .../platform_certs/keyring_handler.c          |  1 +
>>>    security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
>>>    7 files changed, 145 insertions(+), 36 deletions(-)
>>>    create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>>>
>>
>> None of the git SHA1 commit IDs appear to be valid in upstream linux or
>> even linux-next.
>>
>> rtg
> 
> That is why they still have the SAUCE title, and point at commits from
> impish series. They have been submitted upstream, but they are not
> getting reviewed / applied for a long time now. I suspect it is mostly
> because Debian already carries an equivalent patch (for mok config
> table) and all other distros are unaffected (they don't use CA inside
> shim) / don't care (to allow users to self revoke many signing
> certificates).
> 
> I thought I made this clear in the opening paragraph of the cover
> letter. (albeit there is a typpo "revied" => "reviewed"). The git-sha
> reference will become meaningless once the unstable kernel is rebased
> onto v5.14, but it will be valid whilst impish kernels are still in
> use.
> 
> I was not sure how to best indicate that these patches have already
> been through review to get into impish kernel.
> 

You are correct. I don't know what I was thinking. Perhaps I was short 
on coffee.

rtg
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list