Public bug reported:
Upstream linux kernel now supports configuring built-in revoked
certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to pass revoked
certificates to the kernel and depending on how good EFI firmware is
this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load older
kernels that were signed with now revoked certificates.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1932029
Title:
Support builtin revoked certificates
Status in linux package in Ubuntu:
New
Bug description:
Upstream linux kernel now supports configuring built-in revoked
certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to pass revoked
certificates to the kernel and depending on how good EFI firmware is
this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load
older kernels that were signed with now revoked certificates.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
