Public bug reported:
[ Impact ]
* Kernels have a set of builtin trusted and revoked certificates as a bundle
* It is not very easy to access them, one needs to either download linux
kernel package source code; or boot the kernel look up builtin hashes; and then
find certificates externally
* It would be more convenient for inspection to expose these in the buildinfo
package, which already exposes auxiliary kernel information
[ Test Plan ]
* sudo apt install linux-buildinfo-$(uname -r)
* check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and
contains livepatch cert
* check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists and
contains 2012 cert
[ Where problems could occur ]
* buildinfo is an auxiliary package not installed by default, but used
by developer tooling and packaging.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Affects: linux (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Lunar)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996892
Title:
Expose built-in trusted and revoked certificates
Status in linux package in Ubuntu:
New
Status in linux source package in Bionic:
New
Status in linux source package in Focal:
New
Status in linux source package in Jammy:
New
Status in linux source package in Kinetic:
New
Status in linux source package in Lunar:
New
Bug description:
[ Impact ]
* Kernels have a set of builtin trusted and revoked certificates as a bundle
* It is not very easy to access them, one needs to either download linux
kernel package source code; or boot the kernel look up builtin hashes; and then
find certificates externally
* It would be more convenient for inspection to expose these in the
buildinfo package, which already exposes auxiliary kernel information
[ Test Plan ]
* sudo apt install linux-buildinfo-$(uname -r)
* check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and
contains livepatch cert
* check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists
and contains 2012 cert
[ Where problems could occur ]
* buildinfo is an auxiliary package not installed by default, but
used by developer tooling and packaging.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
