APPLIED: [UNSTABLE][PATCH 0/3] Support builtin revoked certificates
andrea.righi at canonical.com
Mon Jun 28 14:40:32 UTC 2021
On Tue, Jun 15, 2021 at 04:40:01PM +0100, Dimitri John Ledkov wrote:
> Upstream linux kernel now supports configuring built-in revoked
> certificates for the .blacklist keyring.
> Add support in our kernel configuration to have built-in revoked
> Revoke UEFI amd64 & arm64 2012 signing certificate.
> Under UEFI Secureboot with lockdown, shim may attempt to communicate
> revoked certificates to the kernel and depending on how good EFI
> firmware is, this may or may not succeed.
> By having these built-in, it will be prohibited to kexec file_load
> older kernels that were signed with now revoked certificates, however
> one boots.
> [Test Plan]
> * Boot kernel directly, or just with grub, and without shim
> * Check that
> $ sudo keyctl list %:.blacklist
> Contains assymetric 2012 key.
> [Where problems could occur]
> * Derivative and per-arch kernels may need to revoke different keys,
> thus this should be evaluated on per arch & flavour basis as to
> which keys to revoke.
> [Other Info]
> * In theory, this only needs to be revoked on amd64 and arm64, but
> empty revocation list is not allowed by the kernel configury, thus
> at the moment revoking 2012 UEFI cert for all architectures.
> Dimitri John Ledkov (3):
> UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> debian.master/config/annotations | 1 +
> debian.master/config/config.common.ubuntu | 2 +-
> .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
> debian/rules | 14 ++-
> 4 files changed, 101 insertions(+), 2 deletions(-)
> create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
I haven't tested it explicitly, but it all looks good to me.
Applied to unstable/5.13.
More information about the kernel-team