APPLIED/cmnt: [SRU][I/kvm][PATCH 0/1] UBUNTU: [Config] Enable Trusted, Platform, Secondary Keyrings

Thu Oct 14 15:28:33 UTC 2021

On 05.10.21 13:14, Dimitri John Ledkov wrote:
> [Impact]
> 
>   * When booting with UEFI, mokvar table and %:.platform keyring must
>     be available. These are required for builtin revocation
>     certificates to be present, shim builtin certificates to be present
>     and thus support to signed & verified kexec present. It also allows
>     revocation of signed lrm and livepatch drivers which are trusted by
>     this kernel.
> 
>   * The kvm annotations are very minimal, v3 format, and the parent
>     kernel's annotations are not enforced.
> 
> [Test Plan]
> 
>   * Check that /sys/firmware/efi/mok-variables/ is available
> 
>   * Check that %:.blacklist keyring is populated
> 
>     $ sudo keyctl list %:.blacklist
> 
>   * Check that %:.platform keyring is populated
> 
>     $ sudo keyctl list %:.platform
> 
> [Where problems could occur]
> 
>   * Given how small the kvm config is, it is not clear if all of
>     lockdown features are correctly enabled. Specifically measuring and
>     appraising things with integrity framework. It is possible further
>     config changes will be required to make kvm flavour as hardened as
>     generic one.
> 
> [Other Info]
> 
>   * This issue was discovered whilst working on
>     https://bugs.launchpad.net/bugs/1928679 and
>     https://bugs.launchpad.net/bugs/1932029
> 
> Dimitri John Ledkov (1):
>    UBUNTU: [Config] Enable Trusted, Platform, Secondary Keyrings
> 
>   debian.kvm/config/annotations          |  5 +++++
>   debian.kvm/config/config.common.ubuntu | 18 ++++++++++++++----
>   2 files changed, 19 insertions(+), 4 deletions(-)
> 

Applied to impish:linux-kvm with some context adjustments.

Thanks,
Kleber