[FOCAL][linux-oem-5.10][PATCH 10/10] UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

Dimitri John Ledkov dimitri.ledkov at canonical.com
Mon Aug 23 13:33:53 UTC 2021 

BugLink: https://bugs.launchpad.net/bugs/1932029
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Signed-off-by: Andrea Righi <andrea.righi at canonical.com>
(cherry picked from commit 741f622c4dbc162b82f8c9045f9c6c6446f57eb5)
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
Acked-by: Andy Whitcroft <apw at canonical.com>
[KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted
to upstream, though not yet reviewed/applied.]
Signed-off-by: Kelsey Skunberg <kelsey.skunberg at canonical.com>
---
 debian.master/config/annotations          | 1 +
 debian.master/config/config.common.ubuntu | 2 ++
 debian.oem/config/annotations             | 1 +
 debian.oem/config/config.common.ubuntu    | 2 ++
 4 files changed, 6 insertions(+)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 62fb726d1c..1a4eb7a030 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -361,6 +361,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
+CONFIG_SYSTEM_REVOCATION_KEYS                   policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 
 # Menu: Cryptographic API >> Hardware crypto devices
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 791cef4b80..7b63a9bc38 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -10402,6 +10402,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
+CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
+CONFIG_SYSTEM_REVOCATION_LIST=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSVIPC=y
diff --git a/debian.oem/config/annotations b/debian.oem/config/annotations
index 74691ad759..2cd570875f 100644
--- a/debian.oem/config/annotations
+++ b/debian.oem/config/annotations
@@ -360,6 +360,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': '
 CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
+CONFIG_SYSTEM_REVOCATION_KEYS                   policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
 CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 
 # Menu: Cryptographic API >> Hardware crypto devices
diff --git a/debian.oem/config/config.common.ubuntu b/debian.oem/config/config.common.ubuntu
index e3ccc02f91..7689259bfa 100644
--- a/debian.oem/config/config.common.ubuntu
+++ b/debian.oem/config/config.common.ubuntu
@@ -7700,6 +7700,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
 CONFIG_SYSTEM_DATA_VERIFICATION=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
 CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
+CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
+CONFIG_SYSTEM_REVOCATION_LIST=y
 CONFIG_SYSTEM_TRUSTED_KEYRING=y
 CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
 CONFIG_SYSV68_PARTITION=y
-- 
2.30.2

More information about the kernel-team mailing list