[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux - 5.4.0-92.103 --- linux (5.4.0-92.103) focal; urgency=medium * focal/linux: 5.4.0-92.103 -proposed tracker (LP: #1952316) * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper - debian/dkms-versions -- update from kernel-versions (main/2021.11.29) * CVE-2021-4002 - tlb: mmu_gather: add tlb_flush_*_range APIs - hugetlbfs: flush TLBs correctly after huge_pmd_unshare * Re-enable DEBUG_INFO_BTF where it was disabled (LP: #1945632) - [Config] Enable CONFIG_DEBUG_INFO_BTF on all arches * Focal linux-azure: Vm crash on Dv5/Ev5 (LP: #1950462) - KVM: VMX: eVMCS: make evmcs_sanitize_exec_ctrls() work again - jump_label: Fix usage in module __init * Support builtin revoked certificates (LP: #1932029) - Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present." - integrity: Move import of MokListRT certs to a separate routine - integrity: Load certs from the EFI MOK config table - certs: Add ability to preload revocation certs - integrity: Load mokx variables into the blacklist keyring - certs: add 'x509_revocation_list' to gitignore - SAUCE: Dump stack when X.509 certificates cannot be loaded - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - efi: Support for MOK variable config table - efi: mokvar-table: fix some issues in new code - efi: mokvar: add missing include of asm/early_ioremap.h - efi/mokvar: Reserve the table only if it is in boot services data - SAUCE: integrity: add informational messages when revoking certs * Support importing mokx keys into revocation list from the mok table (LP: #1928679) // CVE-2020-26541 when certificates are revoked via MokListXRT. - SAUCE: integrity: Load mokx certs from the EFI MOK config table * Focal update: v5.4.157 upstream stable release (LP: #1951883) - ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned - ARM: 9134/1: remove duplicate memcpy() definition - ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype - ARM: 9141/1: only warn about XIP address when not compile testing - ipv6: use siphash in rt6_exception_hash() - ipv4: use siphash instead of Jenkins in fnhe_hashfun() - usbnet: sanity check for maxpacket - usbnet: fix error return code in usbnet_probe() - Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" - ata: sata_mv: Fix the error handling of mv_chip_id() - nfc: port100: fix using -ERRNO as command type mask - net/tls: Fix flipped sign in tls_err_abort() calls - mmc: vub300: fix control-message timeouts - mmc: cqhci: clear HALT state after CQE enable - mmc: dw_mmc: exynos: fix the finding clock sample value - mmc: sdhci: Map more voltage level to SDHCI_POWER_330 - mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit - cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() - net: lan78xx: fix division by zero in send path - tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function - IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields - IB/hfi1: Fix abba locking issue with sc_disable() - nvmet-tcp: fix data digest pointer calculation - nvme-tcp: fix data digest pointer calculation - RDMA/mlx5: Set user priority for DCT - arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node - regmap: Fix possible double-free in regcache_rbtree_exit() - net: batman-adv: fix error handling - net: Prevent infinite while loop in skb_tx_hash() - RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string - nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST - net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails - net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent - net: nxp: lpc_eth.c: avoid hang when bringing interface down - net/tls: Fix flipped sign in async_wait.err assignment - phy: phy_ethtool_ksettings_get: Lock the phy for consistency - phy: phy_start_aneg: Add an unlocked version - sctp: use init_tag from inithdr for ABORT chunk - sctp: fix the processing for INIT_ACK chunk - sctp: fix the processing for COOKIE_ECHO chunk - sctp: add vtag check in sctp_sf_violation - sctp: add vtag check in sctp_sf_do_8_5_1_E_sa - sctp: add vtag check in sctp_sf_ootb - net: use netif_is_bridge_port() to check for IFF_BRIDGE_PORT - cfg80211: correct bridge/4addr mode check - KVM: s390: clear kicked_mask before
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux - 4.15.0-166.174 --- linux (4.15.0-166.174) bionic; urgency=medium * bionic/linux: 4.15.0-166.174 -proposed tracker (LP: #1953667) * Ubuntu version macros overflow with high ABI numbers (LP: #1953522) - SAUCE: Revert "stable: clamp SUBLEVEL in 4.14" * test_bpf.sh test in net of ubuntu_kernel_selftests failed on B-4.15 and variants (LP: #1953287) - SAUCE: Revert "bpf: add also cbpf long jump test cases with heavy expansion" * test_bpf.sh test in net of ubuntu_kernel_selftests failed on B-4.15 and variants (LP: #1953287) // CVE-2018-25020 - bpf: fix truncated jump targets on heavy expansions linux (4.15.0-165.173) bionic; urgency=medium * bionic/linux: 4.15.0-165.173 -proposed tracker (LP: #1952780) * Support builtin revoked certificates (LP: #1932029) - certs: Add EFI_CERT_X509_GUID support for dbx entries - certs: Move load_system_certificate_list to a common function - integrity: Move import of MokListRT certs to a separate routine - integrity: Load certs from the EFI MOK config table - certs: Add ability to preload revocation certs - certs: add 'x509_revocation_list' to gitignore - SAUCE: Dump stack when X.509 certificates cannot be loaded - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - efi: Support for MOK variable config table - efi: mokvar-table: fix some issues in new code - efi: mokvar: add missing include of asm/early_ioremap.h - efi/mokvar: Reserve the table only if it is in boot services data - SAUCE: integrity: Load mokx certs from the EFI MOK config table - SAUCE: integrity: add informational messages when revoking certs * CVE-2021-4002 - arm64: tlb: Provide forward declaration of tlb_flush() before including tlb.h - mm: mmu_notifier fix for tlb_end_vma - hugetlbfs: flush TLBs correctly after huge_pmd_unshare linux (4.15.0-164.172) bionic; urgency=medium * bionic/linux: 4.15.0-164.172 -proposed tracker (LP: #1952348) * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper - debian/dkms-versions -- update from kernel-versions (main/2021.11.29) * Bionic update: upstream stable patchset 2021-11-23 (LP: #1951997) - btrfs: always wait on ordered extents at fsync time - ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default - xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF - xtensa: xtfpga: Try software restart before simulating CPU reset - NFSD: Keep existing listeners on portlist error - netfilter: ipvs: make global sysctl readonly in non-init netns - NIOS2: irqflags: rename a redefined register name - can: rcar_can: fix suspend/resume - can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification - can: peak_pci: peak_pci_remove(): fix UAF - ocfs2: fix data corruption after conversion from inline format - ocfs2: mount fails with buffer overflow in strlen - elfcore: correct reference to CONFIG_UML - ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset - ASoC: DAPM: Fix missing kctl change notifications - nfc: nci: fix the UAF of rf_conn_info object - isdn: cpai: check ctr->cnr to avoid array index out of bound - netfilter: Kconfig: use 'default y' instead of 'm' for bool config option - btrfs: deal with errors when checking if a dir entry exists during log replay - net: stmmac: add support for dwmac 3.40a - ARM: dts: spear3xx: Fix gmac node - isdn: mISDN: Fix sleeping function called from invalid context - platform/x86: intel_scu_ipc: Update timeout value in comment - ALSA: hda: avoid write to STATESTS if controller is in reset - tracing: Have all levels of checks prevent recursion - ARM: 9122/1: select HAVE_FUTEX_CMPXCHG - dma-debug: fix sg checks in debug_dma_map_sg() - ASoC: wm8960: Fix clock configuration on slave mode - lan78xx: select CRC32 - net: hns3: add limit ets dwrr bandwidth cannot be 0 - net: hns3: disable sriov before unload hclge layer - ALSA: hda/realtek: Add quirk for Clevo PC50HS - mm, slub: fix mismatch between reconstructed freelist depth and cnt - gcc-plugins/structleak: add makefile var for disabling structleak * creat09 from ubuntu_ltp_syscalls and cve-2018-13405 from ubuntu_ltp/cve failed with XFS (LP: #1950239) - xfs: ensure that the inode uid/gid match values match the icdinode ones - xfs: merge the projid fields in struct xfs_icdinode - xfs: remove the icdinode di_uid/di_gid members - xfs: fix up non-directory creation in SGID directories * ubuntu_ltp / finit_module02 fails on v4.15 and
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux-azure-5.8 - 5.8.0-1043.46~20.04.1 --- linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker (LP: #1944902) * Support builtin revoked certificates (LP: #1932029) - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys [ Ubuntu: 5.8.0-66.74 ] * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.09.27) * linux: btrfs: fix NULL pointer dereference when deleting device by invalid id (LP: #1945987) - btrfs: fix NULL pointer dereference when deleting device by invalid id * CVE-2021-38199 - NFSv4: Initialise connection to the server in nfs4_alloc_client() * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707) - bnx2x: Fix enabling network interfaces without VFs * CVE-2021-3759 - memcg: enable accounting of ipc resources * CVE-2019-19449 - f2fs: fix wrong total_sections check and fsmeta check - f2fs: fix to do sanity check on segment/section count * Support builtin revoked certificates (LP: #1932029) - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" - integrity: Move import of MokListRT certs to a separate routine - integrity: Load certs from the EFI MOK config table - certs: Add EFI_CERT_X509_GUID support for dbx entries - certs: Move load_system_certificate_list to a common function - certs: Add ability to preload revocation certs - integrity: Load mokx variables into the blacklist keyring - certs: add 'x509_revocation_list' to gitignore - SAUCE: Dump stack when X.509 certificates cannot be loaded - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - efi: Support for MOK variable config table - efi: mokvar-table: fix some issues in new code - efi: mokvar: add missing include of asm/early_ioremap.h - efi/mokvar: Reserve the table only if it is in boot services data - SAUCE: integrity: add informational messages when revoking certs * Support importing mokx keys into revocation list from the mok table (LP: #1928679) // CVE-2020-26541 when certificates are revoked via MokListXRT. - SAUCE: integrity: Load mokx certs from the EFI MOK config table * CVE-2020-36311 - KVM: SVM: Periodically schedule when unregistering regions on destroy * CVE-2021-22543 - KVM: do not allow mapping valid but non-reference-counted pages * CVE-2021-3612 - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl * CVE-2021-38207 - net: ll_temac: Fix TX BD buffer overwrite * CVE-2021-40490 - ext4: fix race writing to an inline_data file while its xattrs are changing * LRMv5: switch primary version handling to kernel-versions data set (LP: #1928921) - [Packaging] switch to kernel-versions -- Marcelo Henrique Cerri Thu, 07 Oct 2021 09:39:35 -0300 ** Changed in: linux-azure-5.8 (Ubuntu Focal) Status: New => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-hwe-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-hwe-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: Fix Committed Status in
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
** Changed in: linux-hwe-5.8 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: Invalid Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-hwe-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-hwe-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: New Status in linux-hwe-5.8 source package in Focal: In Progress Status in linux-oem-5.10 source package in Focal: Fix Released Status in linux source package in Hirsute: Fix Released Status in linux-azure-5.8 source package in Hirsute: Invalid Status in linux-hwe-5.8 source package in Hirsute: Invalid Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. * $ sudo ls /sys/firmware/efi/mok-variables MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/ https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/ This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux-oem-5.10 - 5.10.0-1049.51 --- linux-oem-5.10 (5.10.0-1049.51) focal; urgency=medium * focal/linux-oem-5.10: 5.10.0-1049.50 -proposed tracker (LP: #1944209) * e1000e extremly slow (LP: #1930754) - SAUCE: e1000e: Separate TGP board type from SPT - SAUCE: e1000e: Fixing packet loss issues on new platforms * CVE-2021-41073 - io_uring: ensure symmetry in handling iter types in loop_rw_iter() -- Chia-Lin Kao (AceLan) Mon, 27 Sep 2021 18:33:36 +0800 ** Changed in: linux-oem-5.10 (Ubuntu Focal) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-41073 -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: New Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-hwe-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-hwe-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: New Status in linux-hwe-5.8 source package in Focal: In Progress Status in linux-oem-5.10 source package in Focal: Fix Released Status in linux source package in Hirsute: Fix Released Status in linux-azure-5.8 source package in Hirsute: Invalid Status in linux-hwe-5.8 source package in Hirsute: Invalid Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. * $ sudo ls /sys/firmware/efi/mok-variables MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
** Also affects: linux-hwe-5.8 (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-hwe-5.8 (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-hwe-5.8 (Ubuntu Bionic) Status: New => Invalid ** Changed in: linux-hwe-5.8 (Ubuntu Hirsute) Status: New => Invalid ** Changed in: linux-hwe-5.8 (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux-hwe-5.8 (Ubuntu Focal) Status: New => In Progress ** Changed in: linux (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-hwe-5.8 package in Ubuntu: New Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-hwe-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-hwe-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: In Progress Status in linux-azure-5.8 source package in Focal: New Status in linux-hwe-5.8 source package in Focal: In Progress Status in linux-oem-5.10 source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Released Status in linux-azure-5.8 source package in Hirsute: Invalid Status in linux-hwe-5.8 source package in Hirsute: Invalid Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. * $ sudo ls /sys/firmware/efi/mok-variables MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/ https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/ This will now be submitted as SAUCE patches for
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
** Also affects: linux-azure-5.8 (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-azure-5.8 (Ubuntu Hirsute) Status: New => Invalid ** Changed in: linux-azure-5.8 (Ubuntu) Status: New => Invalid ** Changed in: linux-azure-5.8 (Ubuntu Bionic) Status: New => Invalid ** Changed in: linux-azure-5.8 (Ubuntu Xenial) Status: New => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-azure-5.8 package in Ubuntu: Invalid Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-azure-5.8 source package in Xenial: Invalid Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-azure-5.8 source package in Bionic: Invalid Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: New Status in linux-azure-5.8 source package in Focal: New Status in linux-oem-5.10 source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Released Status in linux-azure-5.8 source package in Hirsute: Invalid Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. * $ sudo ls /sys/firmware/efi/mok-variables MokListRT MokListXRT SbatLevelRT When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files. In kernel messages, the CA certificate should be loaded via MOKvar table i.e: * $ sudo journalctl -b -k | grep -A1 'MOKvar table' Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/ https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/ This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
** Also affects: linux-oem-5.10 (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-oem-5.10 (Ubuntu Xenial) Status: New => Invalid ** Changed in: linux-oem-5.10 (Ubuntu Bionic) Status: New => Invalid ** Changed in: linux-oem-5.10 (Ubuntu Focal) Status: New => Fix Committed ** Changed in: linux-oem-5.10 (Ubuntu Hirsute) Status: New => Invalid ** Changed in: linux-oem-5.10 (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux-oem-5.10 package in Ubuntu: Invalid Status in linux source package in Xenial: New Status in linux-oem-5.10 source package in Xenial: Invalid Status in linux source package in Bionic: New Status in linux-oem-5.10 source package in Bionic: Invalid Status in linux source package in Focal: New Status in linux-oem-5.10 source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Released Status in linux-oem-5.10 source package in Hirsute: Invalid Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/ https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/ This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux - 5.11.0-34.36 --- linux (5.11.0-34.36) hirsute; urgency=medium * hirsute/linux: 5.11.0-34.36 -proposed tracker (LP: #1941766) * Server boot failure after adding checks for ACPI IRQ override (LP: #1941657) - Revert "ACPI: resources: Add checks for ACPI IRQ override" linux (5.11.0-33.35) hirsute; urgency=medium * hirsute/linux: 5.11.0-33.35 -proposed tracker (LP: #1940101) * libvirtd fails to create VM (LP: #1940107) - sched: Stop PF_NO_SETAFFINITY from being inherited by various init system threads linux (5.11.0-32.34) hirsute; urgency=medium * hirsute/linux: 5.11.0-32.34 -proposed tracker (LP: #1939769) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.08.16) * CVE-2021-3656 - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested * CVE-2021-3653 - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl * [regression] USB device is not detected during boot (LP: #1939638) - SAUCE: Revert "usb: core: reduce power-on-good delay time of root hub" * Support builtin revoked certificates (LP: #1932029) - [Packaging] build canonical-revoked-certs.pem from branch/arch certs - [Packaging] Revoke 2012 UEFI signing certificate as built-in - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys * Support importing mokx keys into revocation list from the mok table (LP: #1928679) - SAUCE: integrity: add informational messages when revoking certs * Support importing mokx keys into revocation list from the mok table (LP: #1928679) // CVE-2020-26541 when certificates are revoked via MokListXRT. - SAUCE: integrity: Load mokx certs from the EFI MOK config table * Include product_sku info to modalias (LP: #1938143) - firmware/dmi: Include product_sku info to modalias * Fix Ethernet not working by hotplug - RTL8106E (LP: #1930645) - net: phy: rename PHY_IGNORE_INTERRUPT to PHY_MAC_INTERRUPT - SAUCE: r8169: Use PHY_POLL when RTL8106E enable ASPM * [SRU][H/OEM-5.10/OEM-5.13/U] Fix system hang after unplug tbt dock (LP: #1938689) - SAUCE: igc: fix page fault when thunderbolt is unplugged * [Regression] Audio card [8086:9d71] not detected after upgrade from linux 5.4 to 5.8 (LP: #1915117) - [Config] set CONFIG_SND_SOC_INTEL_SKYLAKE_HDAUDIO_CODEC to y * Backlight (screen brightness) on Lenovo P14s AMD Gen2 inop (LP: #1934557) - drm/amdgpu/display: only enable aux backlight control for OLED panels * Touchpad not working with ASUS TUF F15 (LP: #1937056) - pinctrl: tigerlake: Fix GPIO mapping for newer version of software * dev_forward_skb: do not scrub skb mark within the same name space (LP: #1935040) - dev_forward_skb: do not scrub skb mark within the same name space * Fix display output on HP hybrid GFX laptops (LP: #1936296) - drm/i915: Invoke another _DSM to enable MUX on HP Workstation laptops * [SRU][OEM-5.10/H] UBUNTU: SAUCE: Fix backlight control on Samsung 16727 panel (LP: #1930527) - SAUCE: drm/i915: Force DPCD backlight mode for Samsung 16727 panel * XPS 9510 (TGL) Screen Brightness could not be changed (LP: #1933566) - SAUCE: drm/i915: Force DPCD backlight mode for Dell XPS 9510(TGL) * [21.10 FEAT] KVM: Provide a secure guest indication (LP: #1933173) - s390/uv: add prot virt guest/host indication files - s390/uv: fix prot virt host indication compilation * Skip rtcpie test in kselftests/timers if the default RTC device does not exist (LP: #1937991) - selftests: timers: rtcpie: skip test if default RTC device does not exist * On TGL platforms screen shows garbage when browsing website by scrolling mouse (LP: #1926579) - drm/i915/display: Disable PSR2 if TGL Display stepping is B1 from A0 * USB Type-C hotplug event not handled properly in TGL-H system during s2idle (LP: #1931072) - drm/i915/gen9_bc: Introduce HPD pin mappings for TGP PCH + CML combos - drm/i915: Force a TypeC PHY disconnect during suspend/shutdown * NIC unavailable after suspend to RAM (LP: #1931301) - SAUCE: Revert "ethernet: alx: fix order of calls on resume" * Make Intel GPUs choose YCbCr420 encoding automatically when required for 4k 60Hz output (LP: #1934489) - drm/i915: Use intel_hdmi_port_clock() more - drm/i915/display: New function to avoid duplicate code in upcomming - drm/i915/display: Restructure output format computation for better expandability - drm/i915/display: Use YCbCr420 as fallback when RGB fails * Hirsute update: upstream stable patchset 2021-07-28 (LP: #1938340) - Bluetooth: hci_qca: fix potential GPF - Bluetooth: btqca: Don't modify firmware contents in-place - Bluetooth: Remove spurious error message - ALSA: usb-audio: fix rate on Ozone Z90 USB headset - ALSA: usb-audio: Fix OOB access at proc output
[Group.of.nepali.translators] [Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table
This bug was fixed in the package linux - 5.13.0-14.14 --- linux (5.13.0-14.14) impish; urgency=medium * impish/linux: 5.13.0-14.14 -proposed tracker (LP: #1938565) * Miscellaneous Ubuntu changes - SAUCE: Revert "UBUNTU: SAUCE: random: Make getrandom() ready earlier" - SAUCE: random: properly make getrandom() ready earlier * Miscellaneous upstream changes - seq_buf: Fix overflow in seq_buf_putmem_hex() - bpf: Fix integer overflow in argument calculation for bpf_map_area_alloc - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle - ext4: fix kernel infoleak via ext4_extent_header - ext4: fix overflow in ext4_iomap_alloc() - ext4: return error code when ext4_fill_flex_info() fails - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit - ext4: remove check for zero nr_to_scan in ext4_es_scan() - ext4: fix avefreec in find_group_orlov - ext4: use ext4_grp_locked_error in mb_find_extent -- Andrea Righi Mon, 02 Aug 2021 14:23:08 +0200 ** Changed in: linux (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1928679 Title: Support importing mokx keys into revocation list from the mok table Status in linux package in Ubuntu: Fix Released Status in linux source package in Xenial: New Status in linux source package in Bionic: New Status in linux source package in Focal: New Status in linux source package in Hirsute: Fix Committed Bug description: [Impact] * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key. * Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels. * v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring. * However, it only does so by reading MokListXRT efi variable. * Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table. * We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table * The above is known as CVE-2020-26541 * Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly. [Test Plan] * Boot kernel with 15.4 based Ubuntu shim * Install keyutils package * Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012. * Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked. [Where problems could occur] * EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB). [Other Info] * The patches to fix the above have been submitted upstream https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.led...@canonical.com/ https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.led...@canonical.com/ This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions ___ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp
