[Kernel-packages] [Bug 1898716] Re: Please trust Canonical Livepatch Service kmod signing key

Tue, 06 Oct 2020 07:41:25 -0700 

** Also affects: linux (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: linux (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Description changed:

  [Impact]
  
   * Currently Canonical Livepatch service is signing kernel modules that
  are not trusted by the default Ubuntu kernels
  
   * to make Canonical Livepatch service out of the box compatible with
  SecureBoot, please add Canonical Livepatch service key as trusted in the
  kernel by default
  
   * if user wants to distrust the key, they can remove it via mokx, dbx,
  and we can revoke it by signing revocation with 'canonical master ca'.
  
  [Test Case]
  
   * Boot kernel
   * Check the built-in keyring to ensure that Livepatch key is trusted by the 
built-in keyring
  
  Bad:
  $ sudo keyctl list %:.builtin_trusted_keys
  1 key in keyring:
  204809401: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
  
  Good:
  $ sudo keyctl list %:.builtin_trusted_keys
  2 keys in keyring:
  637801673: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
  1044383508: ---lswrv     0     0 asymmetric: Canonical Ltd. Live Patch 
Signing: 14df34d1a87cf37625abec039ef2bf521249b969
  
- 
  [Regression Potential]
  
   * Kernel keyring size will increase by one key. And thus kernel image
  will too.
  
  [Other Info]
  
   * Current livepatch key fingerprints
  
  mokutil uses der format
  
  $ openssl x509 -inform der -in 
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint 
-sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
  
  kernel use pem format
  
  $ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout 
-fingerprint -sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
+ 
+ [Target kernels]
+ 
+ bionic and up, across the board, but maybe excluding fips kernels?!

** Description changed:

  [Impact]
  
   * Currently Canonical Livepatch service is signing kernel modules that
  are not trusted by the default Ubuntu kernels
  
   * to make Canonical Livepatch service out of the box compatible with
  SecureBoot, please add Canonical Livepatch service key as trusted in the
  kernel by default
  
   * if user wants to distrust the key, they can remove it via mokx, dbx,
  and we can revoke it by signing revocation with 'canonical master ca'.
  
  [Test Case]
  
   * Boot kernel
   * Check the built-in keyring to ensure that Livepatch key is trusted by the 
built-in keyring
  
  Bad:
  $ sudo keyctl list %:.builtin_trusted_keys
  1 key in keyring:
  204809401: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
  
  Good:
  $ sudo keyctl list %:.builtin_trusted_keys
  2 keys in keyring:
  637801673: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
  1044383508: ---lswrv     0     0 asymmetric: Canonical Ltd. Live Patch 
Signing: 14df34d1a87cf37625abec039ef2bf521249b969
  
  [Regression Potential]
  
   * Kernel keyring size will increase by one key. And thus kernel image
  will too.
  
  [Other Info]
  
   * Current livepatch key fingerprints
  
  mokutil uses der format
  
  $ openssl x509 -inform der -in 
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint 
-sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
  
  kernel use pem format
  
  $ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout 
-fingerprint -sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
  
  [Target kernels]
  
  bionic and up, across the board, but maybe excluding fips kernels?!
+ 
+ [Patch]
+ 
+ https://lists.ubuntu.com/archives/kernel-team/2020-October/113929.html

** Patch added: 
"0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch"
   
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+attachment/5418376/+files/0001-UBUNTU-Config-Add-Canonical-Livepatch-Service-key-to.patch

** Changed in: linux (Ubuntu)
       Status: Incomplete => Triaged

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1898716

Title:
  Please trust Canonical Livepatch Service kmod signing key

Status in linux package in Ubuntu:
  Triaged
Status in linux source package in Bionic:
  New
Status in linux source package in Focal:
  New

Bug description:
  [Impact]

   * Currently Canonical Livepatch service is signing kernel modules
  that are not trusted by the default Ubuntu kernels

   * to make Canonical Livepatch service out of the box compatible with
  SecureBoot, please add Canonical Livepatch service key as trusted in
  the kernel by default

   * if user wants to distrust the key, they can remove it via mokx,
  dbx, and we can revoke it by signing revocation with 'canonical master
  ca'.

  [Test Case]

   * Boot kernel
   * Check the built-in keyring to ensure that Livepatch key is trusted by the 
built-in keyring

  Bad:
  $ sudo keyctl list %:.builtin_trusted_keys
  1 key in keyring:
  204809401: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5

  Good:
  $ sudo keyctl list %:.builtin_trusted_keys
  2 keys in keyring:
  637801673: ---lswrv     0     0 asymmetric: Build time autogenerated kernel 
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
  1044383508: ---lswrv     0     0 asymmetric: Canonical Ltd. Live Patch 
Signing: 14df34d1a87cf37625abec039ef2bf521249b969

  [Regression Potential]

   * Kernel keyring size will increase by one key. And thus kernel image
  will too.

  [Other Info]

   * Current livepatch key fingerprints

  mokutil uses der format

  $ openssl x509 -inform der -in 
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint 
-sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA

  kernel use pem format

  $ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout 
-fingerprint -sha256
  SHA256 
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA

  [Target kernels]

  bionic and up, across the board, but maybe excluding fips kernels?!

  [Patch]

  https://lists.ubuntu.com/archives/kernel-team/2020-October/113929.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to