[UNSTABLE][PATCH] UBUNTU: [Config] Enforce SYSTEM_TRUSTED_KEYS and SYSTEM_REVOCATION_KEYS
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Tue Aug 24 17:37:58 UTC 2021
BugLink: https://bugs.launchpad.net/bugs/1932029
Enforce SYSTEM_TRUSTED_KEYS and SYSTEM_REVOCATION_KEYS on all
architectures, including riscv64. Note that TRUSTED and REVOCATION
keys files are dynamically generated and individual kernels may
add/revoke certificates specific to them, as needed. But all kernels
must trust & revoke a base set of certificates.
Note some kernel flavours don't enherit, or don't enforce all
annotation keys by default, hence enforcement of these options is
required.
Fixes: 503c7ca37e ("UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys")
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
debian.master/config/annotations | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index c9c451e95f..f34f943c29 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -355,16 +355,19 @@ CONFIG_MODULE_SIG_KEY policy<{'amd64': '"certs/signing
CONFIG_SYSTEM_BLACKLIST_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_SYSTEM_BLACKLIST_HASH_LIST policy<{'amd64': '""', 'arm64': '""', 'armhf': '""', 'ppc64el': '""', 's390x': '""'}>
CONFIG_SYSTEM_REVOCATION_LIST policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
+CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 'riscv64': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
#
CONFIG_SYSTEM_BLACKLIST_KEYRING mark<ENFORCED>
+CONFIG_SYSTEM_REVOCATION_KEYS mark<ENFORCED>
# Menu: Cryptographic API >> Certificates for signature checking >> Provide system-wide ring of trusted keys
CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
-CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
+CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 'riscv64': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}>
CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
+#
+CONFIG_SYSTEM_TRUSTED_KEYS mark<ENFORCED>
# Menu: Cryptographic API >> Hardware crypto devices
CONFIG_CRYPTO_HW policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}>
--
2.30.2
More information about the kernel-team
mailing list