[Kernel-packages] [Bug 1996892] Re: Expose built-in trusted and revoked certificates

Thu, 02 Mar 2023 18:18:30 -0800 

This bug was fixed in the package linux - 6.1.0-16.16

---------------
linux (6.1.0-16.16) lunar; urgency=medium

  * lunar/linux: 6.1.0-16.16 -proposed tracker (LP: #2008480)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- temporarily drop broken dkms

 -- Andrea Righi <[email protected]>  Fri, 24 Feb 2023 14:24:48
+0100

** Changed in: linux (Ubuntu Lunar)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1996892

Title:
  Expose built-in trusted and revoked certificates

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Bionic:
  Fix Released
Status in linux source package in Focal:
  Fix Released
Status in linux source package in Jammy:
  Fix Released
Status in linux source package in Kinetic:
  Fix Released
Status in linux source package in Lunar:
  Fix Released

Bug description:
  [ Impact ]

   * Kernels have a set of builtin trusted and revoked certificates as a bundle
   * It is not very easy to access them, one needs to either download linux 
kernel package source code; or boot the kernel look up builtin hashes; and then 
find certificates externally
   * It would be more convenient for inspection to expose these in the 
buildinfo package, which already exposes auxiliary kernel information

  [ Test Plan ]

   * sudo apt install linux-buildinfo-$(uname -r)
   * check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and 
contains livepatch cert
   * check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists 
and contains 2012 cert

  Example output:
  $ grep Subject: -r usr/lib/linux
  usr/lib/linux/5.19.0-24-generic/canonical-certs.pem:        Subject: CN = 
Canonical Ltd. Live Patch Signing
  usr/lib/linux/5.19.0-24-generic/canonical-certs.pem:        Subject: C = GB, 
ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Kernel 
Module Signing
  usr/lib/linux/5.19.0-24-generic/canonical-revoked-certs.pem:        Subject: 
C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical 
Ltd. Secure Boot Signing

  
  [ Where problems could occur ]

   * buildinfo is an auxiliary package not installed by default, but
  used by developer tooling and packaging.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1996892/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to