[SRU][I/kvm][PATCH 0/1] UBUNTU: [Config] Enable Trusted, Platform, Secondary Keyrings
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Tue Oct 5 11:14:01 UTC 2021
[Impact]
* When booting with UEFI, mokvar table and %:.platform keyring must
be available. These are required for builtin revocation
certificates to be present, shim builtin certificates to be present
and thus support to signed & verified kexec present. It also allows
revocation of signed lrm and livepatch drivers which are trusted by
this kernel.
* The kvm annotations are very minimal, v3 format, and the parent
kernel's annotations are not enforced.
[Test Plan]
* Check that /sys/firmware/efi/mok-variables/ is available
* Check that %:.blacklist keyring is populated
$ sudo keyctl list %:.blacklist
* Check that %:.platform keyring is populated
$ sudo keyctl list %:.platform
[Where problems could occur]
* Given how small the kvm config is, it is not clear if all of
lockdown features are correctly enabled. Specifically measuring and
appraising things with integrity framework. It is possible further
config changes will be required to make kvm flavour as hardened as
generic one.
[Other Info]
* This issue was discovered whilst working on
https://bugs.launchpad.net/bugs/1928679 and
https://bugs.launchpad.net/bugs/1932029
Dimitri John Ledkov (1):
UBUNTU: [Config] Enable Trusted, Platform, Secondary Keyrings
debian.kvm/config/annotations | 5 +++++
debian.kvm/config/config.common.ubuntu | 18 ++++++++++++++----
2 files changed, 19 insertions(+), 4 deletions(-)
--
2.30.2
More information about the kernel-team
mailing list