APPLIED: [UNSTABLE][PATCH 0/3] Support builtin revoked certificates

Andrea Righi andrea.righi at canonical.com
Mon Jun 28 14:40:32 UTC 2021 

On Tue, Jun 15, 2021 at 04:40:01PM +0100, Dimitri John Ledkov wrote:
> [Impact]
> 
> Upstream linux kernel now supports configuring built-in revoked
> certificates for the .blacklist keyring.
> 
> Add support in our kernel configuration to have built-in revoked
> certificates.
> 
> Revoke UEFI amd64 & arm64 2012 signing certificate.
> 
> Under UEFI Secureboot with lockdown, shim may attempt to communicate
> revoked certificates to the kernel and depending on how good EFI
> firmware is, this may or may not succeed.
> 
> By having these built-in, it will be prohibited to kexec file_load
> older kernels that were signed with now revoked certificates, however
> one boots.
> 
> [Test Plan]
> 
>  * Boot kernel directly, or just with grub, and without shim
> 
>  * Check that
> 
> $ sudo keyctl list %:.blacklist
> 
> Contains assymetric 2012 key.
> 
> [Where problems could occur]
> 
>  * Derivative and per-arch kernels may need to revoke different keys,
>    thus this should be evaluated on per arch & flavour basis as to
>    which keys to revoke.
> 
> [Other Info]
> 
>  * In theory, this only needs to be revoked on amd64 and arm64, but
>    empty revocation list is not allowed by the kernel configury, thus
>    at the moment revoking 2012 UEFI cert for all architectures.
> 
> Dimitri John Ledkov (3):
>   UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>     certs
>   UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>   UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>     keys
> 
>  debian.master/config/annotations              |  1 +
>  debian.master/config/config.common.ubuntu     |  2 +-
>  .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
>  debian/rules                                  | 14 ++-
>  4 files changed, 101 insertions(+), 2 deletions(-)
>  create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem

I haven't tested it explicitly, but it all looks good to me.

Applied to unstable/5.13.

Thanks,
-Andrea

More information about the kernel-team mailing list