** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1851412
Title: Verify kexec image signatures on arm64 Status in linux package in Ubuntu: Invalid Status in linux source package in Disco: Invalid Status in linux source package in Eoan: Invalid Status in linux source package in Focal: Invalid Bug description: While reviewing our kernel configs in Focal, I noticed that we produce signed arm64 kernels since Disco but don't seem to be verifying any signatures during kexec. Specifically, CONFIG_KEXEC_IMAGE_VERIFY_SIG is not enabled. == Disco == $ git grep CONFIG_KEXEC_IMAGE_VERIFY_SIG debian.master/debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG policy<{'arm64': 'n'}> debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG flag<REVIEW> debian.master/config/config.common.ubuntu:# CONFIG_KEXEC_IMAGE_VERIFY_SIG is not set == Eoan == $ git grep CONFIG_KEXEC_IMAGE_VERIFY_SIG debian.master/ debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG policy<{'arm64': 'n'}> debian.master/config/annotations:CONFIG_KEXEC_IMAGE_VERIFY_SIG flag<REVIEW> debian.master/config/config.common.ubuntu:# CONFIG_KEXEC_IMAGE_VERIFY_SIG is not set Looking at the Ubuntu-5.3.0-19.20 tag in Eoan, it looks like the CONFIG_KEXEC_IMAGE_VERIFY_SIG option should be enabled to perform signature verification of kexec images: $ cat -n arch/arm64/kernel/kexec_image.c | tail -n 15 116 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG 117 static int image_verify_sig(const char *kernel, unsigned long kernel_len) 118 { 119 return verify_pefile_signature(kernel, kernel_len, NULL, 120 VERIFYING_KEXEC_PE_SIGNATURE); 121 } 122 #endif 123 124 const struct kexec_file_ops kexec_image_ops = { 125 .probe = image_probe, 126 .load = image_load, 127 #ifdef CONFIG_KEXEC_IMAGE_VERIFY_SIG 128 .verify_sig = image_verify_sig, 129 #endif 130 }; To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851412/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp