** Changed in: ubuntu-power-systems
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
lockdown on power
To manage notifications about this
This bug was fixed in the package linux - 5.4.0-24.28
---
linux (5.4.0-24.28) focal; urgency=medium
* focal/linux: 5.4.0-24.28 -proposed tracker (LP: #1871939)
* getitimer returns it_value=0 erroneously (LP: #1349028)
- [Config] CONTEXT_TRACKING_FORCE policy should be unset
Thanks for testing. I've applied the patches to focal/master-next.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
lockdown on power
To manage notifications about this bug go to:
New test build with the updated patch in the same ppa.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
lockdown on power
To manage notifications about this bug go to:
The revised patch looks indeed less strict - we are considering that one
...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
lockdown on power
To manage notifications about this bug
This is noted on the other bug, but I'll also note it here. This kernel
is *not* signed with the archive key. The public half of the key pair
used to sign this build can be found in this tarball:
http://ppa.launchpad.net/sforshee/lp1866909/ubuntu/dists/focal/main/signed
Patch one is included on the test build for bug 1866909 in
https://launchpad.net/~sforshee/+archive/ubuntu/lp1866909/+packages. I
incorporated the config changes in with those requested for that bug.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Also I'll add, you can use this ppa to test the -proposed kernels
without enabling all of -proposed.
https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/proposed/
These are kernels copied from the -proposed pocked, after we've built
signed packages in -proposed.
--
You received this
Lockdown is enabled in focal, and the default mode when booted without
any secure boot scheme is NONE.
When booted under a secure boot scheme, we had previously forced the
CONFIDENTIALITY mode for lockdown. But we have now scaled that back, and
the kernel in focal-proposed sets the mode to
Looking up the options I see that on ppc64el there is (on focal/20.04):
CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY=n
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=n
CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y
but
CONFIG_LSM="lockdown,yama,integrity,apparmor"
--
You received this bug notification because
Well, prior to 20.04 the secure-boot lockdown in Ubuntu was largely based on
Matthew Garrett patch set. With the upstream acceptance of secure boot in 5.4
we moved over to the upstream code, and 20.04 contains kernel 5.4 anyway.
In a different LP bug IBM got generally asked for checking
Hi Daniel,
I found that that commit
69393cb03ccd "powerpc/xmon: Restrict when kernel is locked down"
landed upstream with v5.5-rc1.
I created a separate LP bug / ticket to get it into focal's kernel 5.4 (hoping
that it's a simple cherry pick):
LP 1863562 - "Restrict ppc64el xmon to
The commit "a356646a56857c2e5ad875beec734d7145ecd49a" is upstream with 5.5 and
named "tracing: Do not create directories if lockdown is in affect".
Looking this up in focal master-next tells me that it was indeed picked-up, but
under commit "ce5fac3cf42b": tracing: Do not create directories if
After discussing the the kernel team this seems to be the correct behavior and
output.
This is obviously okay:
"Kernel is locked down from command line; see man kernel_lockdown.7"
but the further msgs like "Lockdown: swapper/0: use of tracefs..." seem to be
right.
Just waiting for another quick
Changing back to Triaged - after test done and info provided my Daniel.
Btw. in between kernel 5.4 landed in the focal (20.04) release pocket as well:
linux-generic | 5.4.0.9.11 | focal | ppc64el
So any lock-down tests can now be done based on the normal kernel from focal's
release
Changing back to Triaged - after test done and info provided my Daniel.
Btw. in between kernel 5.4 landed in the focal (20.04) release pocket as well:
linux-generic | 5.4.0.9.11| focal | s390x
** Changed in: ubuntu-power-systems
Status: Incomplete => Triaged
--
You
Marking as "incomplete", while awaiting IBM's test results.
** Changed in: ubuntu-power-systems
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668
Title:
** Also affects: ubuntu-power-systems
Importance: Undecided
Status: New
** Changed in: ubuntu-power-systems
Assignee: (unassigned) => Canonical Kernel Team (canonical-kernel-team)
** Changed in: ubuntu-power-systems
Importance: Undecided => Medium
** Changed in:
18 matches
Mail list logo
