Please trust Canonical Livepatch Service kmod signing key
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Groovy |
Fix Released
|
Medium
|
Unassigned | ||
linux-gcp (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
linux-kvm (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Unassigned | ||
Groovy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
* Currently Canonical Livepatch service is signing kernel modules that are not trusted by the default Ubuntu kernels
* to make Canonical Livepatch service out of the box compatible with SecureBoot, please add Canonical Livepatch service key as trusted in the kernel by default
* if user wants to distrust the key, they can remove it via mokx, dbx, and we can revoke it by signing revocation with 'canonical master ca'.
[Test Case]
* Boot kernel
* Check the built-in keyring to ensure that Livepatch key is trusted by the built-in keyring
Bad:
$ sudo keyctl list %:.builtin_
1 key in keyring:
204809401: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 4182e0d0113d4a8
Good:
$ sudo keyctl list %:.builtin_
2 keys in keyring:
637801673: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: 52f8757621e8fc6
1044383508: ---lswrv 0 0 asymmetric: Canonical Ltd. Live Patch Signing: 14df34d1a87cf37
[Regression Potential]
* Kernel keyring size will increase by one key. And thus kernel image will too.
[Other Info]
* Current livepatch key fingerprints
mokutil uses der format
$ openssl x509 -inform der -in /snap/canonical
SHA256 Fingerprint=
kernel use pem format
$ openssl x509 -inform pem -in debian/
SHA256 Fingerprint=
[Target kernels]
bionic and up, across the board, but maybe excluding fips kernels?!
[Patch]
https:/
CVE References
Changed in linux (Ubuntu): | |
status: | New → Incomplete |
description: | updated |
tags: | added: patch |
tags: | added: fr-797 |
Changed in linux (Ubuntu Groovy): | |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in linux (Ubuntu): | |
status: | Triaged → Fix Committed |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Groovy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | Triaged → Fix Committed |
affects: | linux (Ubuntu Groovy) → linux-kvm (Ubuntu Groovy) |
Changed in linux-kvm (Ubuntu Groovy): | |
status: | Fix Committed → Confirmed |
affects: | linux-kvm (Ubuntu) → linux (Ubuntu) |
Changed in linux (Ubuntu Groovy): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | Triaged → Fix Committed |
Changed in linux-kvm (Ubuntu Groovy): | |
status: | New → Confirmed |
Changed in linux-kvm (Ubuntu Bionic): | |
importance: | Undecided → Medium |
Changed in linux-kvm (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in linux-kvm (Ubuntu Groovy): | |
importance: | Undecided → Medium |
Changed in linux-kvm (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in linux-kvm (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in linux-kvm (Ubuntu): | |
status: | New → Confirmed |
Changed in linux-gcp (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in linux-gcp (Ubuntu Focal): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification- needed- groovy' to 'verification- done-groovy' . If the problem still exists, change the tag 'verification- needed- groovy' to 'verification- failed- groovy' .
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/ /wiki.ubuntu. com/Testing/ EnableProposed for documentation how to enable and use -proposed. Thank you!