This bug was fixed in the package linux-oem-5.10 - 5.10.0-1049.51
---------------
linux-oem-5.10 (5.10.0-1049.51) focal; urgency=medium
* focal/linux-oem-5.10: 5.10.0-1049.50 -proposed tracker (LP:
#1944209)
* e1000e extremly slow (LP: #1930754)
- SAUCE: e1000e: Separate TGP board type from SPT
- SAUCE: e1000e: Fixing packet loss issues on new platforms
* CVE-2021-41073
- io_uring: ensure symmetry in handling iter types in loop_rw_iter()
-- Chia-Lin Kao (AceLan) <acelan....@canonical.com> Mon, 27 Sep 2021
18:33:36 +0800
** Changed in: linux-oem-5.10 (Ubuntu Focal)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41073
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-azure-5.8 in Ubuntu.
https://bugs.launchpad.net/bugs/1932029
Title:
Support builtin revoked certificates
Status in linux package in Ubuntu:
Fix Released
Status in linux-azure-5.8 package in Ubuntu:
Invalid
Status in linux-oem-5.10 package in Ubuntu:
Invalid
Status in linux source package in Xenial:
New
Status in linux-azure-5.8 source package in Xenial:
Invalid
Status in linux-oem-5.10 source package in Xenial:
Invalid
Status in linux source package in Bionic:
New
Status in linux-azure-5.8 source package in Bionic:
Invalid
Status in linux-oem-5.10 source package in Bionic:
Invalid
Status in linux source package in Focal:
New
Status in linux-azure-5.8 source package in Focal:
New
Status in linux-oem-5.10 source package in Focal:
Fix Released
Status in linux source package in Hirsute:
Fix Released
Status in linux-azure-5.8 source package in Hirsute:
Invalid
Status in linux-oem-5.10 source package in Hirsute:
Invalid
Bug description:
[Impact]
Upstream linux kernel now supports configuring built-in revoked
certificates for the .blacklist keyring.
Add support in our kernel configuration to have built-in revoked
certificates.
Revoke UEFI amd64 & arm64 2012 signing certificate.
Under UEFI Secureboot with lockdown, shim may attempt to communicate
revoked certificates to the kernel and depending on how good EFI
firmware is, this may or may not succeed.
By having these built-in, it will be prohibited to kexec file_load
older kernels that were signed with now revoked certificates, however
one boots.
[Test Plan]
* Boot kernel directly, or just with grub, and without shim
* Check that
$ sudo keyctl list %:.blacklist
Contains asymmetric 2012 key.
[Where problems could occur]
* Derivative and per-arch kernels may need to revoke different keys,
thus this should be evaluated on per arch & flavour basis as to which
keys to revoke.
[Other Info]
* In theory, this only needs to be revoked on amd64 and arm64, but
empty revocation list is not allowed by the kernel configury, thus at
the moment revoking 2012 UEFI cert for all architectures.
* an ubuntu kernel team regression test is being added to assert that
expected revoked certificates have been revoked
see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
* Previous reviews
Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
team/2021-June/121362.html
Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
team/2021-August/122996.html
Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
team/2021-August/123470.html
Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-
team/2021-September/124336.html
Focal & v5.4: https://lists.ubuntu.com/archives/kernel-
team/2021-October/124497.html
Bionic & v4.15: TODO
Xenial & v4.4: TODO
Trusty & v3.13: TODO
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
