[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Focal: Fix Released Status in linux source package in Hirsute: Fix Released Status in linux source package in Impish: Fix Released Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug was fixed in the package linux - 5.11.0-40.44 --- linux (5.11.0-40.44) hirsute; urgency=medium * hirsute/linux: 5.11.0-40.44 -proposed tracker (LP: #1947876) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.10.18) linux (5.11.0-39.43) hirsute; urgency=medium * hirsute/linux: 5.11.0-39.43 -proposed tracker (LP: #1947227) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.10.18) * Add final-checks to check certificates (LP: #1947174) - [Packaging] Add system trusted and revocation keys final check * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s Gen2 (LP: #1939052) - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops. - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 * Fix cold plugged USB device on certain PCIe USB cards (LP: #1945211) - Revert "UBUNTU: SAUCE: Revert "usb: core: reduce power-on-good delay time of root hub"" - usb: core: hcd: Add support for deferring roothub registration - xhci: Set HCD flag to defer primary roothub registration - usb: core: hcd: Modularize HCD stop configuration in usb_stop_hcd() * Hirsute update: upstream stable patchset 2021-10-12 (LP: #1946788) - locking/mutex: Fix HANDOFF condition - regmap: fix the offset of register error log - regulator: tps65910: Silence deferred probe error - crypto: mxs-dcp - Check for DMA mapping errors - sched/deadline: Fix reset_on_fork reporting of DL tasks - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() - sched/deadline: Fix missing clock update in migrate_task_rq_dl() - rcu/tree: Handle VM stoppage in stall detection - EDAC/mce_amd: Do not load edac_mce_amd module on guests - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() - hrtimer: Ensure timerfd notification for HIGHRES=n - udf: Check LVID earlier - udf: Fix iocharset=utf8 mount option - isofs: joliet: Fix iocharset=utf8 mount option - bcache: add proper error unwinding in bcache_device_init - blk-throtl: optimize IOPS throttle for large IO scenarios - nvme-tcp: don't update queue count when failing to set io queues - nvme-rdma: don't update queue count when failing to set io queues - nvmet: pass back cntlid on successful completion - power: supply: smb347-charger: Add missing pin control activation - power: supply: max17042_battery: fix typo in MAx17042_TOFF - s390/cio: add dev_busid sysfs entry for each subchannel - s390/zcrypt: fix wrong offset index for APKA master key valid state - libata: fix ata_host_start() - crypto: omap - Fix inconsistent locking of device lists - crypto: qat - do not ignore errors from enable_vf2pf_comms() - crypto: qat - handle both source of interrupt in VF ISR - crypto: qat - fix reuse of completion variable - crypto: qat - fix naming for init/shutdown VF to PF notifications - crypto: qat - do not export adf_iov_putmsg() - fcntl: fix potential deadlock for &fasync_struct.fa_lock - udf_get_extendedattr() had no boundary checks. - s390/kasan: fix large PMD pages address alignment check - s390/pci: fix misleading rc in clp_set_pci_fn() - s390/debug: keep debug data on resize - s390/debug: fix debug area life cycle - s390/ap: fix state machine hang after failure to enable irq - power: supply: cw2015: use dev_err_probe to allow deferred probe - m68k: emu: Fix invalid free in nfeth_cleanup() - sched/numa: Fix is_core_idle() - sched: Fix UCLAMP_FLAG_IDLE setting - rcu: Fix to include first blocked task in stall warning - rcu: Add lockdep_assert_irqs_disabled() to rcu_sched_clock_irq() and callees - rcu: Fix stall-warning deadlock due to non-release of rcu_node ->lock - m68k: Fix invalid RMW_INSNS on CPUs that lack CAS - block: return ELEVATOR_DISCARD_MERGE if possible - spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config - spi: spi-pic32: Fix issue with uninitialized dma_slave_config - genirq/timings: Fix error return code in irq_timings_test_irqs() - irqchip/loongson-pch-pic: Improve edge triggered interrupt support - lib/mpi: use kcalloc in mpi_resize - clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel - spi: coldfire-qspi: Use clk_disable_unprepare in the remove function - irqchip/gic-v3: Fix priority comparison when non-secure priorities are used - crypto: qat - use proper type for vf_mask - certs: Trigger creation of RSA module signing key if it's not an RSA key - tpm: ibmvtpm: Avoid error message wh
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug was fixed in the package linux - 5.13.0-21.21 --- linux (5.13.0-21.21) impish; urgency=medium * impish/linux: 5.13.0-21.21 -proposed tracker (LP: #1947347) * It hangs while booting up with AMD W6800 [1002:73A3] (LP: #1945553) - drm/amdgpu: Rename flag which prevents HW access - drm/amd/pm: Fix a bug communicating with the SMU (v5) - drm/amd/pm: Fix a bug in semaphore double-lock * Add final-checks to check certificates (LP: #1947174) - [Packaging] Add system trusted and revocation keys final check * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s Gen2 (LP: #1939052) - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops. - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 * Check for changes relevant for security certifications (LP: #1945989) - [Packaging] Add a new fips-checks script - [Packaging] Add fips-checks as part of finalchecks * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707) - bnx2x: Fix enabling network interfaces without VFs * CVE-2021-3759 - memcg: enable accounting of ipc resources * [impish] Remove the downstream xr-usb-uart driver (LP: #1945938) - SAUCE: xr-usb-serial: remove driver - [Config] update modules list * Fix A yellow screen pops up in an instant (< 1 second) and then disappears before loading the system (LP: #1945932) - drm/i915: Stop force enabling pipe bottom color gammma/csc * Impish update: v5.13.18 upstream stable release (LP: #1946249) - Linux 5.13.18 * Impish update: v5.13.17 upstream stable release (LP: #1946247) - locking/mutex: Fix HANDOFF condition - regmap: fix the offset of register error log - regulator: tps65910: Silence deferred probe error - crypto: mxs-dcp - Check for DMA mapping errors - sched/deadline: Fix reset_on_fork reporting of DL tasks - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() - sched/deadline: Fix missing clock update in migrate_task_rq_dl() - rcu/tree: Handle VM stoppage in stall detection - EDAC/mce_amd: Do not load edac_mce_amd module on guests - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() - hrtimer: Ensure timerfd notification for HIGHRES=n - udf: Check LVID earlier - udf: Fix iocharset=utf8 mount option - isofs: joliet: Fix iocharset=utf8 mount option - bcache: add proper error unwinding in bcache_device_init - nbd: add the check to prevent overflow in __nbd_ioctl() - blk-throtl: optimize IOPS throttle for large IO scenarios - nvme-tcp: don't update queue count when failing to set io queues - nvme-rdma: don't update queue count when failing to set io queues - nvmet: pass back cntlid on successful completion - power: supply: smb347-charger: Add missing pin control activation - power: supply: max17042_battery: fix typo in MAx17042_TOFF - s390/cio: add dev_busid sysfs entry for each subchannel - s390/zcrypt: fix wrong offset index for APKA master key valid state - libata: fix ata_host_start() - sched/topology: Skip updating masks for non-online nodes - crypto: omap - Fix inconsistent locking of device lists - crypto: qat - do not ignore errors from enable_vf2pf_comms() - crypto: qat - handle both source of interrupt in VF ISR - crypto: qat - fix reuse of completion variable - crypto: qat - fix naming for init/shutdown VF to PF notifications - crypto: qat - do not export adf_iov_putmsg() - crypto: hisilicon/sec - fix the abnormal exiting process - crypto: hisilicon/sec - modify the hardware endian configuration - crypto: tcrypt - Fix missing return value check - fcntl: fix potential deadlocks for &fown_struct.lock - fcntl: fix potential deadlock for &fasync_struct.fa_lock - udf_get_extendedattr() had no boundary checks. - io-wq: remove GFP_ATOMIC allocation off schedule out path - s390/kasan: fix large PMD pages address alignment check - s390/pci: fix misleading rc in clp_set_pci_fn() - s390/debug: keep debug data on resize - s390/debug: fix debug area life cycle - s390/ap: fix state machine hang after failure to enable irq - sched/debug: Don't update sched_domain debug directories before sched_debug_init() - power: supply: cw2015: use dev_err_probe to allow deferred probe - m68k: emu: Fix invalid free in nfeth_cleanup() - crypto: x86/aes-ni - add missing error checks in XTS code - crypto: ecc - handle unaligned input buffer in ecc_swap_digits - sched/numa: Fix is_core_idle() - sched: Fix UCLAMP_FLAG_IDLE setting - rcu: Fix to include first blocked task in stall warning - rcu: Fix stall-warning deadlock due to non-
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug was fixed in the package linux - 4.15.0-162.170 --- linux (4.15.0-162.170) bionic; urgency=medium * bionic/linux: 4.15.0-162.170 -proposed tracker (LP: #1947293) * Add final-checks to check certificates (LP: #1947174) - [Packaging] Add system trusted and revocation keys final check * CVE-2020-36385 - RDMA/cma: Add missing locking to rdma_accept() - RDMA/ucma: Fix the locking of ctx->file - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy * CVE-2021-28950 - fuse: fix live lock in fuse_iget() * CVE-2020-36322 - fuse: fix bad inode * Bionic update: upstream stable patchset 2021-10-13 (LP: #1947011) - rcu: Fix missed wakeup of exp_wq waiters - apparmor: remove duplicate macro list_entry_is_head() - crypto: talitos - fix max key size for sha384 and sha512 - sctp: validate chunk size in __rcv_asconf_lookup - sctp: add param size validation for SCTP_PARAM_SET_PRIMARY - dmaengine: acpi: Avoid comparison GSI with Linux vIRQ - thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() - 9p/trans_virtio: Remove sysfs file on probe failure - prctl: allow to setup brk for et_dyn executables - profiling: fix shift-out-of-bounds bugs - pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered - Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH - parisc: Move pci_dev_is_behind_card_dino to where it is used - dmaengine: ioat: depends on !UML - dmaengine: xilinx_dma: Set DMA mask for coherent APIs - ceph: lockdep annotations for try_nonblocking_invalidate - nilfs2: fix memory leak in nilfs_sysfs_create_device_group - nilfs2: fix NULL pointer in nilfs_##name##_attr_release - nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group - nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group - nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group - nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group - pwm: rockchip: Don't modify HW state in .remove() callback - blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV - nilfs2: use refcount_dec_and_lock() to fix potential UAF - drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() * Invalid backport to v4.15: missing pgtable_l5_enabled (LP: #1946464) - SAUCE: Revert "x86/mm: Don't free P4D table when it is folded at runtime" * CVE-2021-38199 - NFSv4: Initialise connection to the server in nfs4_alloc_client() * CVE-2019-19449 - f2fs: fix wrong total_sections check and fsmeta check - f2fs: fix to do sanity check on segment/section count * vrf: fix refcnt leak with vxlan slaves (LP: #1945180) - ipv4: Fix device used for dst_alloc with local routes * Check for changes relevant for security certifications (LP: #1945989) - [Packaging] Add a new fips-checks script - [Packaging] Add fips-checks as part of finalchecks * CVE-2021-3759 - memcg: enable accounting of ipc resources * Bionic update: upstream stable patchset 2021-09-27 (LP: #1945224) - ARC: Fix CONFIG_STACKDEPOT - can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters - Revert "USB: serial: ch341: fix character loss at high transfer rates" - USB: serial: option: add new VID/PID to support Fibocom FG150 - usb: dwc3: gadget: Fix dwc3_calc_trbs_left() - usb: dwc3: gadget: Stop EP0 transfers during pullup disable - IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() - e1000e: Fix the max snoop/no-snoop latency for 10M - ip_gre: add validation for csum_start - xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' - net: marvell: fix MVNETA_TX_IN_PRGRS bit number - usb: gadget: u_audio: fix race condition on endpoint stop - opp: remove WARN when no valid OPPs remain - virtio: Improve vq->broken access to avoid any compiler optimization - vringh: Use wiov->used to check for read/write desc order - drm: Copy drm_wait_vblank to user before returning - drm/nouveau/disp: power down unused DP links during init - net/rds: dma_map_sg is entitled to merge entries - vt_kdsetmode: extend console locking - fbmem: add margin check to fb_check_caps() - KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs - Revert "floppy: reintroduce O_NDELAY fix" - net: qrtr: fix another OOB Read in qrtr_endpoint_post - net: hns3: fix get wrong pfc_en when query PFC configuration - xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG - qed: Fix the VF msix vectors flow - net: macb: Add a NULL check on desc_ptp - qede: Fix memset corruption - perf/x86/intel/pt: Fix mask of num_address_ranges - perf/x86/amd/ibs: Work around erratum #1197 - cry
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug was fixed in the package linux - 5.4.0-90.101 --- linux (5.4.0-90.101) focal; urgency=medium * focal/linux: 5.4.0-90.101 -proposed tracker (LP: #1947260) * Packaging resync (LP: #1786013) - debian/dkms-versions -- update from kernel-versions (main/2021.10.18) * Add final-checks to check certificates (LP: #1947174) - [Packaging] Add system trusted and revocation keys final check * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s Gen2 (LP: #1939052) - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i 15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops. - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s Gen2 * CVE-2020-36385 - RDMA/cma: Add missing locking to rdma_accept() - RDMA/ucma: Fix the locking of ctx->file - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy * Focal update: v5.4.148 upstream stable release (LP: #1946802) - rtc: tps65910: Correct driver module alias - btrfs: wake up async_delalloc_pages waiters after submit - btrfs: reset replace target device to allocation state on close - blk-zoned: allow zone management send operations without CAP_SYS_ADMIN - blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN - PCI/MSI: Skip masking MSI-X on Xen PV - powerpc/perf/hv-gpci: Fix counter value parsing - xen: fix setting of max_pfn in shared_info - include/linux/list.h: add a macro to test if entry is pointing to the head - 9p/xen: Fix end of loop tests for list_for_each_entry - tools/thermal/tmon: Add cross compiling support - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast - pinctrl: ingenic: Fix incorrect pull up/down info - soc: qcom: aoss: Fix the out of bound usage of cooling_devs - soc: aspeed: lpc-ctrl: Fix boundary check for mmap - soc: aspeed: p2a-ctrl: Fix boundary check for mmap - arm64: head: avoid over-mapping in map_memory - crypto: public_key: fix overflow during implicit conversion - block: bfq: fix bfq_set_next_ioprio_data() - power: supply: max17042: handle fails of reading status register - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() - VMCI: fix NULL pointer dereference when unmapping queue pair - media: uvc: don't do DMA on stack - media: rc-loopback: return number of emitters rather than error - Revert "dmaengine: imx-sdma: refine to load context only once" - dmaengine: imx-sdma: remove duplicated sdma_load_context - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs - ARM: 9105/1: atags_to_fdt: don't warn about stack size - PCI/portdrv: Enable Bandwidth Notification only if port supports it - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure - PCI: xilinx-nwl: Enable the clock through CCF - PCI: aardvark: Fix checking for PIO status - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts - HID: input: do not report stylus battery state as "full" - f2fs: quota: fix potential deadlock - scsi: bsg: Remove support for SCSI_IOCTL_SEND_COMMAND - IB/hfi1: Adjust pkey entry in index 0 - RDMA/iwcm: Release resources if iw_cm module initialization fails - docs: Fix infiniband uverbs minor number - pinctrl: samsung: Fix pinctrl bank pin count - vfio: Use config not menuconfig for VFIO_NOIOMMU - powerpc/stacktrace: Include linux/delay.h - RDMA/efa: Remove double QP type assignment - f2fs: show f2fs instance in printk_ratelimited - f2fs: reduce the scope of setting fsck tag when de->name_len is zero - openrisc: don't printk() unconditionally - dma-debug: fix debugfs initialization order - SUNRPC: Fix potential memory corruption - scsi: fdomain: Fix error return code in fdomain_probe() - pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() - scsi: smartpqi: Fix an error code in pqi_get_raid_map() - scsi: qedi: Fix error codes in qedi_alloc_global_queues() - scsi: qedf: Fix error codes in qedf_alloc_global_queues() - powerpc/config: Renable MTD_PHYSMAP_OF - scsi: target: avoid per-loop XCOPY buffer allocations - HID: i2c-hid: Fix Elan touchpad regression - KVM: PPC: Book3S HV Nested: Reflect guest PMU in-use to L0 when guest SPRs are live - platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from run_smbios_call - fscache: Fix cookie key hashing - clk: at91: sam9x60: Don't use audio PLL - clk: at91: clk-generated: pass the id of changeable parent at registration - clk: at91: clk-generated: Limit the requested rate to our range - KVM: PPC: Fix clearing never mapped TCEs in realmode - f2fs: fix to account mi
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
verification-done-bionic: dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/4.15.0-162.170/linux_4.15.0-162.170.dsc dpkg-source -x linux_4.15.0-162.170.dsc grep CONFIG_SYSTEM_TRUSTED_KEYS linux-4.15.0/debian/scripts/misc/final-checks if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required" ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
verification-done-focal: dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.4.0-90.101/linux_5.4.0-90.101.dsc dpkg-source -x linux_5.4.0-90.101.dsc grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.4.0/debian/scripts/misc/final-checks if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required" ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
verification-done-impish: dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.13.0-21.21/linux_5.13.0-21.21.dsc dpkg-source -x linux_5.13.0-21.21.dsc grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.13.0/debian/scripts/misc/final-checks if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required" ** Tags removed: verification-needed-impish ** Tags added: verification-done-impish -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
verification-done-hirsute: dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.11.0-40.44/linux_5.11.0-40.44.dsc dpkg-source -x linux_5.11.0-40.44.dsc grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.11.0/debian/scripts/misc/final-checks if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required" ** Tags removed: verification-needed-hirsute ** Tags added: verification-done-hirsute -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug is awaiting verification that the linux/4.15.0-162.170 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug is awaiting verification that the linux/5.13.0-21.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-impish -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug is awaiting verification that the linux/5.4.0-90.101 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
This bug is awaiting verification that the linux/5.11.0-39.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-hirsute -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1947174] Re: Add final-checks to check certificates
** Also affects: linux (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Impish) Importance: Undecided Status: Incomplete ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Hirsute) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Impish) Status: Incomplete => In Progress ** Changed in: linux (Ubuntu Hirsute) Status: New => In Progress ** Changed in: linux (Ubuntu Focal) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Hirsute) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Impish) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1947174 Title: Add final-checks to check certificates Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Fix Committed Bug description: [Impact] * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files. * As part fips validation work final-checks got added to check and assert that correct things are turned on. * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config. [Test Plan] * Kernel should build * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail [Where problems could occur] * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify. [Other Info] * Also see https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1947174/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
