APPLIED/CMT: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates

Kelsey Skunberg kelsey.skunberg at canonical.com
Fri Aug 13 01:18:07 UTC 2021 

Applied to Hirsute master-next with extra note that SHA1 is from Impish.
Thank you!

-Kelsey

On 2021-08-05 15:59:44 , Dimitri John Ledkov wrote:
> In Impish, support was added to load revoked certificates from mokx
> (submitted upstream, revied, not accepted yet) into blacklist keyring.
> 
> Also in Impish, from upstream, there is now support to have built-in
> revoked keys. And we have 2012 UEFI key revoked by default (as also
> revoked globally via uefi dbx update).
> 
> Backport both of the above things to Hirsute, such that our kernels
> honor mokx revocations, and also have the 2012 key revoked always
> (when booted with or without working shim).
> 
> This patch series was test built and tested using the revocations list
> test case that is proposed for RT ubuntu_boot test. See
> https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
> 
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
> 
> Dimitri John Ledkov (5):
>   UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>     table
>   UBUNTU: SAUCE: integrity: add informational messages when revoking
>     certs
>   UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>     certs
>   UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>   UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>     keys
> 
>  certs/blacklist.c                             |  3 +
>  debian.master/config/annotations              |  1 +
>  debian.master/config/config.common.ubuntu     |  2 +-
>  .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
>  debian/rules                                  | 14 ++-
>  .../platform_certs/keyring_handler.c          |  1 +
>  security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
>  7 files changed, 145 insertions(+), 36 deletions(-)
>  create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
> 
> -- 
> 2.30.2
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list