[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Ubuntu 22.10 (Kinetic Kudu) has reached end of life, so this bug will not be fixed for that specific release. ** Changed in: linux (Ubuntu Kinetic) Status: Fix Committed => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Won't Fix Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Won't Fix Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-mtk/5.15.0-1030.34 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-mtk' to 'verification-done-jammy- linux-mtk'. If the problem still exists, change the tag 'verification- needed-jammy-linux-mtk' to 'verification-failed-jammy-linux-mtk'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-mtk-v2 verification-needed-jammy-linux-mtk -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
mantic:linux-laptop CONFIGS/arm64-config.flavour.laptop:3151:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIGS/arm64-config.flavour.laptop:3152:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
mantic:linux-gcp CONFIGS/amd64-config.flavour.gcp:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIGS/amd64-config.flavour.gcp:3081:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
mantic:linux-azure CONFIGS/amd64-config.flavour.azure:2785:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIGS/amd64-config.flavour.azure:2786:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y ** Tags removed: verification-needed-mantic-linux-azure ** Tags added: verification-done-mantic-linux-azure ** Tags removed: verification-needed-mantic-linux-gcp verification-needed-mantic-linux-laptop ** Tags added: verification-done-mantic-linux-gcp verification-done-mantic-linux-laptop -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
jammy:nvidia-6.5 CONFIGS/amd64-config.flavour.nvidia:3079:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIGS/amd64-config.flavour.nvidia:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y ** Tags removed: verification-needed-jammy-linux-nvidia-6.5 ** Tags added: verification-done-jammy-linux-nvidia-6.5 ** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Jammy:hwe-6.5 CONFIGS/amd64-config.flavour.generic:3079:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y CONFIGS/amd64-config.flavour.generic:3080:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug VT is a mess.. Nevertheless. Jammy:lowlatency-hwe-6.5 ./amd64-config.flavour.lowlatency:3084:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y ./amd64-config.flavour.lowlatency:3085:CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y ** Tags removed: verification-needed-jammy-linux-lowlatency-hwe-6.5 ** Tags added: verification-done-jammy-linux-lowlatency-hwe-6.5 ** Tags removed: verification-done-jammy-linux-lowlatency-hwe-6.5 verification-needed-jammy-linux-hwe-6.5 ** Tags added: verification-done-jammy-linux-hwe-6.5 verification-needed-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Changed in: linux-meta-azure (Ubuntu Lunar) Status: New => Invalid ** Changed in: linux-meta-kvm (Ubuntu Jammy) Status: New => Invalid ** Changed in: linux-meta-kvm (Ubuntu Kinetic) Status: New => Invalid ** Changed in: linux-meta-kvm (Ubuntu Lunar) Status: New => Invalid ** Changed in: linux-kvm (Ubuntu Kinetic) Status: In Progress => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: Invalid Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: Invalid Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: Invalid Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: Invalid Status in linux-meta-kvm source package in Lunar: Invalid Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-lowlatency- hwe-6.5/6.5.0-14.14.1~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- lowlatency-hwe-6.5' to 'verification-done-jammy-linux-lowlatency- hwe-6.5'. If the problem still exists, change the tag 'verification- needed-jammy-linux-lowlatency-hwe-6.5' to 'verification-failed-jammy- linux-lowlatency-hwe-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-lowlatency-hwe-6.5-v2 verification-needed-jammy-linux-lowlatency-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Released Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug was fixed in the package linux - 6.6.0-14.14 --- linux (6.6.0-14.14) noble; urgency=medium * noble/linux: 6.6.0-14.14 -proposed tracker (LP: #2045243) * Noble update: v6.6.3 upstream stable release (LP: #2045244) - locking/ww_mutex/test: Fix potential workqueue corruption - btrfs: abort transaction on generation mismatch when marking eb as dirty - lib/generic-radix-tree.c: Don't overflow in peek() - x86/retpoline: Make sure there are no unconverted return thunks due to KCSAN - perf/core: Bail out early if the request AUX area is out of bound - srcu: Fix srcu_struct node grpmask overflow on 64-bit systems - selftests/lkdtm: Disable CONFIG_UBSAN_TRAP in test config - clocksource/drivers/timer-imx-gpt: Fix potential memory leak - clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware - srcu: Only accelerate on enqueue time - smp,csd: Throw an error if a CSD lock is stuck for too long - cpu/hotplug: Don't offline the last non-isolated CPU - workqueue: Provide one lock class key per work_on_cpu() callsite - x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size - wifi: plfxlc: fix clang-specific fortify warning - wifi: ath12k: Ignore fragments from uninitialized peer in dp - wifi: mac80211_hwsim: fix clang-specific fortify warning - wifi: mac80211: don't return unset power in ieee80211_get_tx_power() - atl1c: Work around the DMA RX overflow issue - bpf: Detect IP == ksym.end as part of BPF program - wifi: ath9k: fix clang-specific fortify warnings - wifi: ath12k: fix possible out-of-bound read in ath12k_htt_pull_ppdu_stats() - wifi: ath10k: fix clang-specific fortify warning - wifi: ath12k: fix possible out-of-bound write in ath12k_wmi_ext_hal_reg_caps() - ACPI: APEI: Fix AER info corruption when error status data has multiple sections - net: sfp: add quirk for Fiberstone GPON-ONU-34-20BI - wifi: mt76: mt7921e: Support MT7992 IP in Xiaomi Redmibook 15 Pro (2023) - wifi: mt76: fix clang-specific fortify warnings - net: annotate data-races around sk->sk_tx_queue_mapping - net: annotate data-races around sk->sk_dst_pending_confirm - wifi: ath12k: mhi: fix potential memory leak in ath12k_mhi_register() - wifi: ath10k: Don't touch the CE interrupt registers after power up - net: sfp: add quirk for FS's 2.5G copper SFP - vsock: read from socket's error queue - bpf: Ensure proper register state printing for cond jumps - wifi: iwlwifi: mvm: fix size check for fw_link_id - Bluetooth: btusb: Add date->evt_skb is NULL check - Bluetooth: Fix double free in hci_conn_cleanup - ACPI: EC: Add quirk for HP 250 G7 Notebook PC - tsnep: Fix tsnep_request_irq() format-overflow warning - gpiolib: acpi: Add a ignore interrupt quirk for Peaq C1010 - platform/chrome: kunit: initialize lock for fake ec_dev - of: address: Fix address translation when address-size is greater than 2 - platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e - drm/gma500: Fix call trace when psb_gem_mm_init() fails - drm/amdkfd: ratelimited SQ interrupt messages - drm/komeda: drop all currently held locks if deadlock happens - drm/amd/display: Blank phantom OTG before enabling - drm/amd/display: Don't lock phantom pipe on disabling - drm/amd/display: add seamless pipe topology transition check - drm/edid: Fixup h/vsync_end instead of h/vtotal - md: don't rely on 'mddev->pers' to be set in mddev_suspend() - drm/amdgpu: not to save bo in the case of RAS err_event_athub - drm/amdkfd: Fix a race condition of vram buffer unref in svm code - drm/amdgpu: update retry times for psp vmbx wait - drm/amd: Update `update_pcie_parameters` functions to use uint8_t arguments - drm/amd/display: use full update for clip size increase of large plane source - string.h: add array-wrappers for (v)memdup_user() - kernel: kexec: copy user-array safely - kernel: watch_queue: copy user-array safely - drm_lease.c: copy user-array safely - drm: vmwgfx_surface.c: copy user-array safely - drm/msm/dp: skip validity check for DP CTS EDID checksum - drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 - drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga - drm/amdgpu: Fix potential null pointer derefernce - drm/panel: fix a possible null pointer dereference - drm/panel/panel-tpo-tpg110: fix a possible null pointer dereference - drm/radeon: fix a possible null pointer dereference - drm/amdgpu/vkms: fix a possible null pointer dereference - drm/panel: st7703: Pick different reset sequence - drm/amdkfd: Fix shift out-of-bounds issue - drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL - drm/amd: Disable PP_PCIE_DPM_MASK when dynamic speed switching not supported -
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-nvidia-6.5/6.5.0-1007.7 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-done- jammy-linux-nvidia-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-nvidia-6.5' to 'verification-failed- jammy-linux-nvidia-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-nvidia-6.5-v2 verification-needed-jammy-linux-nvidia-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-azure/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-azure' to 'verification-done- mantic-linux-azure'. If the problem still exists, change the tag 'verification-needed-mantic-linux-azure' to 'verification-failed-mantic- linux-azure'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-azure-v2 verification-needed-mantic-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux- hwe-6.5/6.5.0-14.14~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux- hwe-6.5' to 'verification-done-jammy-linux-hwe-6.5'. If the problem still exists, change the tag 'verification-needed-jammy-linux-hwe-6.5' to 'verification-failed-jammy-linux-hwe-6.5'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-hwe-6.5-v2 verification-needed-jammy-linux-hwe-6.5 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-laptop/6.5.0-1007.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-done- mantic-linux-laptop'. If the problem still exists, change the tag 'verification-needed-mantic-linux-laptop' to 'verification-failed- mantic-linux-laptop'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-laptop-v2 verification-needed-mantic-linux-laptop -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-gcp/6.5.0-1010.10 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux-gcp' to 'verification-done-mantic- linux-gcp'. If the problem still exists, change the tag 'verification- needed-mantic-linux-gcp' to 'verification-failed-mantic-linux-gcp'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-gcp-v2 verification-needed-mantic-linux-gcp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-jammy-linux-xilinx-zynqmp ** Tags added: verification-done-jammy-linux-xilinx-zynqmp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-mantic-linux ** Tags added: verification-done-mantic-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux/6.5.0-12.12 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-mantic-linux' to 'verification-done-mantic-linux'. If the problem still exists, change the tag 'verification-needed-mantic- linux' to 'verification-failed-mantic-linux'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-mantic-linux-v2 verification-needed-mantic-linux -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Changed in: linux (Ubuntu Mantic) Status: In Progress => Fix Committed ** Changed in: linux-kvm (Ubuntu Mantic) Status: In Progress => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: Fix Committed Status in linux-kvm package in Ubuntu: Invalid Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: Fix Committed Status in linux-kvm source package in Mantic: Invalid Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-xilinx- zynqmp/5.15.0-1024.28 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-done-jammy-linux-xilinx-zynqmp'. If the problem still exists, change the tag 'verification-needed-jammy-linux-xilinx-zynqmp' to 'verification-failed-jammy-linux-xilinx-zynqmp'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux-xilinx-zynqmp-v2 verification-needed-jammy-linux-xilinx-zynqmp -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-focal-linux-aws-5.15 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux- aws-5.15/5.15.0-1046.51~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal-linux- aws-5.15' to 'verification-done-focal-linux-aws-5.15'. If the problem still exists, change the tag 'verification-needed-focal-linux-aws-5.15' to 'verification-failed-focal-linux-aws-5.15'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-focal-linux-aws-5.15-v2 verification-needed-focal-linux-aws-5.15 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Released Status in linux-kvm source package in Jammy: Fix Released Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_INTEGRITY_MACHINE_KEYRING CONFIG_IMA_ARCH_POLICY (this might not be necessary if the machine keyring implementation is patched to skip the check enabled by this kconfig) (The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.: $ sudo keyctl show %:.secondary_trusted_keys Keyring 159454604 ---lswrv 0 0 keyring: .secondary_trusted_keys 88754641 ---lswrv 0 0 \_ keyring: .builtin_trusted_keys 889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f 541326986 ---lswrv 0 0 \_ keyring: .machine 188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1 475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a76935e67bdbe3f5e6968d62479 [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux- hwe-6.2/6.2.0-26.26~22.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-jammy ** Tags added: kernel-spammed-jammy-linux-hwe-6.2 verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-azure/6.2.0-1009.9 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-lunar-linux-azure -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux-riscv/6.2.0-27.28.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags removed: verification-done-lunar ** Tags added: kernel-spammed-lunar-linux-riscv verification-needed-lunar -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Released Status in linux-kvm source package in Lunar: Fix Released Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug was fixed in the package linux-kvm - 6.2.0-1008.8 --- linux-kvm (6.2.0-1008.8) lunar; urgency=medium * lunar/linux-kvm: 6.2.0-1008.8 -proposed tracker (LP: #2025454) * Packaging resync (LP: #1786013) - [Packaging] resync update-dkms-versions helper * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images (LP: #2019040) - [Config] CONFIG_DM_VERITY=m [ Ubuntu: 6.2.0-25.25 ] * lunar/linux: 6.2.0-25.25 -proposed tracker (LP: #2024167) * ftrace in ubuntu_kernel_selftests failed with "check if duplicate events are caught" on J-5.15 P9 / J-kvm / L-kvm (LP: #1977827) - SAUCE: selftests/ftrace: Add test dependency * Add microphone support of the front headphone port on P3 Tower (LP: #2023650) - ALSA: hda/realtek: Add Lenovo P3 Tower platform * Add audio support for ThinkPad P1 Gen 6 and Z16 Gen 2 (LP: #2023539) - ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6 * Fix Disable thunderbolt clx make edp-monitor garbage while moving the touchpad (LP: #2023004) - drm/i915: Use 18 fast wake AUX sync len * Fix Monitor lost after replug WD19TBS to SUT port with VGA/DVI to type-C dongle (LP: #2021949) - thunderbolt: Increase timeout of DP OUT adapter handshake - thunderbolt: Do not touch CL state configuration during discovery - thunderbolt: Increase DisplayPort Connection Manager handshake timeout * Enable Tracing Configs for OSNOISE and TIMERLAT (LP: #2018591) - [Config] Enable OSNOISE_TRACER and TIMERLAT_TRACER configs * Fix only reach PC3 when ethernet is plugged r8169 (LP: #1946433) - r8169: use spinlock to protect mac ocp register access - r8169: use spinlock to protect access to registers Config2 and Config5 - r8169: enable cfg9346 config register access in atomic context - r8169: prepare rtl_hw_aspm_clkreq_enable for usage in atomic context - r8169: disable ASPM during NAPI poll - r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll * introduce do_lib_rust=true|false to enable/disable linux-lib-rust package (LP: #2021605) - [Packaging] introduce do_lib_rust and enable it only on generic amd64 * System either hang with black screen or rebooted on entering suspend on AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics (LP: #2020685) - drm/amdgpu: refine get gpu clock counter method - drm/amdgpu/gfx11: update gpu_clock_counter logic * generate linux-lib-rust only on amd64 (LP: #2020356) - [Packaging] generate linux-lib-rust only on amd64 * No HDMI/DP audio output on dock(Nvidia GPU) (LP: #2020062) - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table * Add support for mdev_set_iommu_device() kABI in Ubuntu 22.10 kernel (LP: #1988806) - SAUCE: Add mdev_set_iommu_device() kABI. * Enable audio LEDs on HP laptops (LP: #2019915) - ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop - ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images (LP: #2019040) - [Config] CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y * Lunar update: v6.2.13 upstream stable release (LP: #2023929) - ARM: dts: rockchip: fix a typo error for rk3288 spdif node - arm64: dts: rockchip: Lower sd speed on rk3566-soquartz - arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node - arm64: dts: qcom: ipq8074-hk10: enable QMP device, not the PHY node - arm64: dts: meson-g12-common: specify full DMC range - arm64: dts: meson-g12-common: resolve conflict between canvas & pmu - perf/amlogic: adjust register offsets - arm64: dts: qcom: sc8280xp-pmics: fix pon compatible and registers - arm64: dts: imx8mm-evk: correct pmic clock source - arm64: dts: imx8mm-verdin: correct off-on-delay - arm64: dts: imx8mp-verdin: correct off-on-delay - netfilter: br_netfilter: fix recent physdev match breakage - netfilter: nf_tables: Modify nla_memdup's flag to GFP_KERNEL_ACCOUNT - rust: str: fix requierments->requirements typo - regulator: fan53555: Explicitly include bits header - regulator: fan53555: Fix wrong TCS_SLEW_MASK - virtio_net: bugfix overflow inside xdp_linearize_page() - sfc: Fix use-after-free due to selftest_work - netfilter: nf_tables: fix ifdef to also consider nf_tables=m - i40e: fix accessing vsi->active_filters without holding lock - i40e: fix i40e_setup_misc_vector() error handling - netfilter: nf_tables: validate catch-all set elements - cxgb4: fix use after free bugs caused by circular dependency problem - netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements - bnxt_en: Do not initialize PTP on older P3/P4 chips - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() - LoongArch: Fix build error if CONFIG_SUSPEND is not set - bonding: Fix
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug was fixed in the package linux - 6.2.0-25.25 --- linux (6.2.0-25.25) lunar; urgency=medium * lunar/linux: 6.2.0-25.25 -proposed tracker (LP: #2024167) * ftrace in ubuntu_kernel_selftests failed with "check if duplicate events are caught" on J-5.15 P9 / J-kvm / L-kvm (LP: #1977827) - SAUCE: selftests/ftrace: Add test dependency * Add microphone support of the front headphone port on P3 Tower (LP: #2023650) - ALSA: hda/realtek: Add Lenovo P3 Tower platform * Add audio support for ThinkPad P1 Gen 6 and Z16 Gen 2 (LP: #2023539) - ALSA: hda/realtek: Add quirk for ThinkPad P1 Gen 6 * Fix Disable thunderbolt clx make edp-monitor garbage while moving the touchpad (LP: #2023004) - drm/i915: Use 18 fast wake AUX sync len * Fix Monitor lost after replug WD19TBS to SUT port with VGA/DVI to type-C dongle (LP: #2021949) - thunderbolt: Increase timeout of DP OUT adapter handshake - thunderbolt: Do not touch CL state configuration during discovery - thunderbolt: Increase DisplayPort Connection Manager handshake timeout * Enable Tracing Configs for OSNOISE and TIMERLAT (LP: #2018591) - [Config] Enable OSNOISE_TRACER and TIMERLAT_TRACER configs * Fix only reach PC3 when ethernet is plugged r8169 (LP: #1946433) - r8169: use spinlock to protect mac ocp register access - r8169: use spinlock to protect access to registers Config2 and Config5 - r8169: enable cfg9346 config register access in atomic context - r8169: prepare rtl_hw_aspm_clkreq_enable for usage in atomic context - r8169: disable ASPM during NAPI poll - r8169: remove ASPM restrictions now that ASPM is disabled during NAPI poll * introduce do_lib_rust=true|false to enable/disable linux-lib-rust package (LP: #2021605) - [Packaging] introduce do_lib_rust and enable it only on generic amd64 * System either hang with black screen or rebooted on entering suspend on AMD Ryzen 9 PRO 7940HS w/ Radeon 780M Graphics (LP: #2020685) - drm/amdgpu: refine get gpu clock counter method - drm/amdgpu/gfx11: update gpu_clock_counter logic * generate linux-lib-rust only on amd64 (LP: #2020356) - [Packaging] generate linux-lib-rust only on amd64 * No HDMI/DP audio output on dock(Nvidia GPU) (LP: #2020062) - ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table * Add support for mdev_set_iommu_device() kABI in Ubuntu 22.10 kernel (LP: #1988806) - SAUCE: Add mdev_set_iommu_device() kABI. * Enable audio LEDs on HP laptops (LP: #2019915) - ALSA: hda/realtek: Fix mute and micmute LEDs for an HP laptop - ALSA: hda/realtek: Fix mute and micmute LEDs for yet another HP laptop * linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images (LP: #2019040) - [Config] CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING=y * Lunar update: v6.2.13 upstream stable release (LP: #2023929) - ARM: dts: rockchip: fix a typo error for rk3288 spdif node - arm64: dts: rockchip: Lower sd speed on rk3566-soquartz - arm64: dts: qcom: ipq8074-hk01: enable QMP device, not the PHY node - arm64: dts: qcom: ipq8074-hk10: enable QMP device, not the PHY node - arm64: dts: meson-g12-common: specify full DMC range - arm64: dts: meson-g12-common: resolve conflict between canvas & pmu - perf/amlogic: adjust register offsets - arm64: dts: qcom: sc8280xp-pmics: fix pon compatible and registers - arm64: dts: imx8mm-evk: correct pmic clock source - arm64: dts: imx8mm-verdin: correct off-on-delay - arm64: dts: imx8mp-verdin: correct off-on-delay - netfilter: br_netfilter: fix recent physdev match breakage - netfilter: nf_tables: Modify nla_memdup's flag to GFP_KERNEL_ACCOUNT - rust: str: fix requierments->requirements typo - regulator: fan53555: Explicitly include bits header - regulator: fan53555: Fix wrong TCS_SLEW_MASK - virtio_net: bugfix overflow inside xdp_linearize_page() - sfc: Fix use-after-free due to selftest_work - netfilter: nf_tables: fix ifdef to also consider nf_tables=m - i40e: fix accessing vsi->active_filters without holding lock - i40e: fix i40e_setup_misc_vector() error handling - netfilter: nf_tables: validate catch-all set elements - cxgb4: fix use after free bugs caused by circular dependency problem - netfilter: nf_tables: tighten netlink attribute requirements for catch-all elements - bnxt_en: Do not initialize PTP on older P3/P4 chips - mlxfw: fix null-ptr-deref in mlxfw_mfa2_tlv_next() - LoongArch: Fix build error if CONFIG_SUSPEND is not set - bonding: Fix memory leak when changing bond type to Ethernet - net: rpl: fix rpl header size calculation - mlxsw: pci: Fix possible crash during initialization - spi: spi-rockchip: Fix missing unwind goto in rockchip_sfc_probe() - bpf: Fix incorrect verifier pruning due to missing register precision taints
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Tags removed: verification-needed-kinetic ** Tags added: verification-done-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux/5.19.0-47.49 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-kinetic' to 'verification-done-kinetic'. If the problem still exists, change the tag 'verification-needed-kinetic' to 'verification-failed-kinetic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-kinetic-linux verification-needed-kinetic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
linux-generic looks good, thanks. Will the changes to linux-kvm and linux-azure be merged separately later? ** Tags removed: verification-needed-jammy verification-needed-lunar ** Tags added: verification-done-jammy verification-done-lunar -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux/6.2.0-25.25 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lunar' to 'verification-done-lunar'. If the problem still exists, change the tag 'verification-needed-lunar' to 'verification-failed-lunar'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-lunar-linux verification-needed-lunar -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
This bug is awaiting verification that the linux/5.15.0-77.84 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: kernel-spammed-jammy-linux verification-needed-jammy -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Changed in: linux (Ubuntu Lunar) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Kinetic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Jammy) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: Fix Committed Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: Fix Committed Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: Fix Committed Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Hi, any update on these configs changes? Have they been queued? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Thank you! Do you have details about the performance impact of IMA_ARCH? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Submitted patches for review: https://lists.ubuntu.com/archives/kernel- team/2023-May/139435.html Note that the proposed patches do not include IMA_ARCH given the performance impacts that option imposes. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Also affects: linux-kvm (Ubuntu) Importance: Undecided Status: New ** Changed in: linux-kvm (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux-kvm (Ubuntu Jammy) Status: New => In Progress ** Changed in: linux-kvm (Ubuntu Jammy) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux-kvm (Ubuntu Kinetic) Importance: Undecided => Medium ** Changed in: linux-kvm (Ubuntu Kinetic) Status: New => In Progress ** Changed in: linux-kvm (Ubuntu Kinetic) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux-kvm (Ubuntu Lunar) Importance: Undecided => Medium ** Changed in: linux-kvm (Ubuntu Lunar) Status: New => In Progress ** Changed in: linux-kvm (Ubuntu Lunar) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux-kvm (Ubuntu Mantic) Importance: Undecided => Medium ** Changed in: linux-kvm (Ubuntu Mantic) Status: New => In Progress ** Changed in: linux-kvm (Ubuntu Mantic) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux-meta-azure (Ubuntu Jammy) Status: New => Invalid ** Changed in: linux-meta-azure (Ubuntu Kinetic) Status: New => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-kvm package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-kvm source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: Invalid Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-kvm source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: Invalid Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-kvm source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-kvm source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. [Regression Potential] MOK keys may not be correctly read. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Changed in: linux-meta-azure (Ubuntu) Status: New => Invalid ** Changed in: linux-meta-kvm (Ubuntu) Status: New => Invalid ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Also affects: linux (Ubuntu Mantic) Importance: Medium Assignee: Tim Gardner (timg-tpi) Status: In Progress ** Also affects: linux-meta-azure (Ubuntu Mantic) Importance: Undecided Status: Invalid ** Also affects: linux-meta-kvm (Ubuntu Mantic) Importance: Undecided Status: Invalid ** Also affects: linux (Ubuntu Lunar) Importance: Undecided Status: New ** Also affects: linux-meta-azure (Ubuntu Lunar) Importance: Undecided Status: New ** Also affects: linux-meta-kvm (Ubuntu Lunar) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: linux-meta-azure (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: linux-meta-kvm (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux-meta-azure (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: linux-meta-kvm (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Jammy) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Jammy) Status: New => In Progress ** Changed in: linux (Ubuntu Jammy) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Kinetic) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Kinetic) Status: New => In Progress ** Changed in: linux (Ubuntu Kinetic) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Changed in: linux (Ubuntu Lunar) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Lunar) Status: New => In Progress ** Changed in: linux (Ubuntu Lunar) Assignee: (unassigned) => Tim Gardner (timg-tpi) ** Description changed: + SRU Justification + + [Impact] + The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. + + [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm- verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. + + [Regression Potential] + + MOK keys may not be correctly read. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: New Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: In Progress Status in linux-meta-azure source package in Kinetic: New Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: In Progress Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: SRU Justification [Impact] The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. [Fix] Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
There's no specific log to share, I've downloaded the kconfig for the kvm flavour from the linux- buildinfo-6.2.0-1003-kvm_6.2.0-1003.3_amd64.deb package, extracted usr/lib/linux/6.2.0-1003-kvm/config and checked for these kconfigs, and they are not present: $ grep DM_VERITY config # CONFIG_DM_VERITY is not set $ grep IMA_ARCH config $ ** Changed in: linux (Ubuntu) Status: Incomplete => Confirmed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: In Progress Status in linux-meta-azure package in Ubuntu: Invalid Status in linux-meta-kvm package in Ubuntu: Invalid Status in linux source package in Jammy: In Progress Status in linux-meta-azure source package in Jammy: New Status in linux-meta-kvm source package in Jammy: New Status in linux source package in Kinetic: New Status in linux-meta-azure source package in Kinetic: New Status in linux-meta-kvm source package in Kinetic: New Status in linux source package in Lunar: New Status in linux-meta-azure source package in Lunar: New Status in linux-meta-kvm source package in Lunar: New Status in linux source package in Mantic: In Progress Status in linux-meta-azure source package in Mantic: Invalid Status in linux-meta-kvm source package in Mantic: Invalid Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Also affects: linux (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux package in Ubuntu: New Status in linux-meta-azure package in Ubuntu: New Status in linux-meta-kvm package in Ubuntu: New Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 2019040] Re: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
** Summary changed: - linux-kvm: please enable dm-verity kconfigs + linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images ** Also affects: linux-meta-azure (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-meta-kvm in Ubuntu. https://bugs.launchpad.net/bugs/2019040 Title: linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images Status in linux-meta-azure package in Ubuntu: New Status in linux-meta-kvm package in Ubuntu: New Bug description: The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour. Please consider enabling the following kconfigs: CONFIG_DM_VERITY CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING CONFIG_IMA_ARCH_POLICY (The latter is needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring) These are already enabled in the 'main' kernel config, and in other distros. As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta-azure/+bug/2019040/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp