This bug was fixed in the package linux - 5.11.0-11.12
---------------
linux (5.11.0-11.12) hirsute; urgency=medium
* hirsute/linux: 5.11.0-11.12 -proposed tracker (LP: #1917335)
* Packaging resync (LP: #1786013)
- update dkms package versions
- [Packaging] update variants
* Support no udeb profile (LP: #1916095)
- [Packaging] replace custom filter script with dctrl-tools
- [Packaging] correctly implement noudeb build profiles.
* Miscellaneous Ubuntu changes
- [Packaging] dkms-versions -- remove nvidia-graphics-drivers-440-server
- [Debian] run ubuntu-regression-suite for linux-unstable
- [Packaging] remove Provides: aufs-dkms
- [Packaging] Change source package name to linux
- [Config] update gcc version in config due to toolchain update
* Miscellaneous upstream changes
- Revert "UBUNTU: [Config] disable nvidia and nvidia_server builds"
- Xen/x86: don't bail early from clear_foreign_p2m_mapping()
- Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
- Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
- Xen/gntdev: correct error checking in gntdev_map_grant_pages()
- xen/arm: don't ignore return errors from set_phys_to_machine
- xen-blkback: don't "handle" error by BUG()
- xen-netback: don't "handle" error by BUG()
- xen-scsiback: don't "handle" error by BUG()
- xen-blkback: fix error handling in xen_blkbk_map()
- tty: protect tty_write from odd low-level tty disciplines
- Bluetooth: btusb: Always fallback to alt 1 for WBS
- media: pwc: Use correct device for DMA
- bpf: Fix truncation handling for mod32 dst reg wrt zero
- HID: make arrays usage and value to be the same
- USB: quirks: sort quirk entries
- usb: quirks: add quirk to start video capture on ELMO L-12F document
camera
reliable
- ntfs: check for valid standard information attribute
- Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working
- arm64: tegra: Add power-domain for Tegra210 HDA
- hwmon: (dell-smm) Add XPS 15 L502X to fan control blacklist
- KVM: x86: Zap the oldest MMU pages, not the newest
- KVM: do not assume PTE is writable after follow_pfn
- mm: provide a saner PTE walking API for modules
- KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()
-- Andrea Righi <andrea.ri...@canonical.com> Mon, 01 Mar 2021 18:17:45
+0100
** Changed in: linux (Ubuntu)
Status: Fix Committed => Fix Released
** Changed in: linux-gcp (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/1898716
Title:
Please trust Canonical Livepatch Service kmod signing key
Status in linux package in Ubuntu:
Fix Released
Status in linux-gcp package in Ubuntu:
Fix Released
Status in linux-kvm package in Ubuntu:
Fix Released
Status in linux source package in Bionic:
Fix Committed
Status in linux-gcp source package in Bionic:
New
Status in linux-kvm source package in Bionic:
Confirmed
Status in linux source package in Focal:
Fix Released
Status in linux-gcp source package in Focal:
Fix Released
Status in linux-kvm source package in Focal:
Fix Released
Status in linux source package in Groovy:
Fix Released
Status in linux-gcp source package in Groovy:
Fix Released
Status in linux-kvm source package in Groovy:
Fix Released
Bug description:
[Impact]
* Currently Canonical Livepatch service is signing kernel modules
that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with
SecureBoot, please add Canonical Livepatch service key as trusted in
the kernel by default
* if user wants to distrust the key, they can remove it via mokx,
dbx, and we can revoke it by signing revocation with 'canonical master
ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the
built-in keyring
Bad:
$ sudo keyctl list %:.builtin_trusted_keys
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 4182e0d0113d4a8f460783380c9e618ef1597bf5
Good:
$ sudo keyctl list %:.builtin_trusted_keys
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel
key: 52f8757621e8fc6dd500b32c3ead885a3b6d3cbc
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch
Signing: 14df34d1a87cf37625abec039ef2bf521249b969
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image
will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in
/snap/canonical-livepatch/current/keys/livepatch-kmod.x509 -noout -fingerprint
-sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
kernel use pem format
$ openssl x509 -inform pem -in debian/canonical-livepatch.pem -noout
-fingerprint -sha256
SHA256
Fingerprint=A4:1E:49:06:12:DD:38:56:F9:78:82:E3:66:66:9E:95:15:78:8E:65:68:50:35:46:0F:AC:59:72:4A:5B:92:FA
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?!
[Patch]
https://lists.ubuntu.com/archives/kernel-team/2020-October/113929.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1898716/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
