** Description changed: [Impact] - * Currently Canonical Livepatch service is signing kernel modules that + * Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels - * to make Canonical Livepatch service out of the box compatible with + * to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default - * if user wants to distrust the key, they can remove it via mokx, dbx, + * if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'. [Test Case] - * Boot kernel - * Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring + * Boot kernel + * Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring + + Bad: + $ sudo keyctl list %:.builtin_trusted_keys + 1 key in keyring: + 204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5 + + Good: + $ sudo keyctl list %:.builtin_trusted_keys + 2 keys in keyring: + 637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc + 1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969 + [Regression Potential] - * Kernel keyring size will increase by one key. And thus kernel image + * Kernel keyring size will increase by one key. And thus kernel image will too. [Other Info] - - * Current livepatch key fingerprints + + * Current livepatch key fingerprints mokutil uses der format $ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256 SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA kernel use pem format $ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256 SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1898716 Title: Please trust Canonical Livepatch Service kmod signing key Status in linux package in Ubuntu: Incomplete Bug description: [Impact] * Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels * to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default * if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'. [Test Case] * Boot kernel * Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring Bad: $ sudo keyctl list %:.builtin_trusted_keys 1 key in keyring: 204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8f460783380c9e618ef1597bf5 Good: $ sudo keyctl list %:.builtin_trusted_keys 2 keys in keyring: 637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc 1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969 [Regression Potential] * Kernel keyring size will increase by one key. And thus kernel image will too. [Other Info] * Current livepatch key fingerprints mokutil uses der format $ openssl x509 -inform der -in /snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint -sha256 SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA kernel use pem format $ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout -fingerprint -sha256 SHA256 Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
