linux-*: please enable dm-verity kconfigs to allow MoK/db verified root images
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | ||
Jammy |
Fix Released
|
Medium
|
Tim Gardner | ||
Kinetic |
Won't Fix
|
Medium
|
Tim Gardner | ||
Lunar |
Fix Released
|
Medium
|
Tim Gardner | ||
Mantic |
Won't Fix
|
Medium
|
Tim Gardner | ||
linux-kvm (Ubuntu) |
Invalid
|
Medium
|
Tim Gardner | ||
Jammy |
Fix Released
|
Medium
|
Tim Gardner | ||
Kinetic |
Invalid
|
Medium
|
Tim Gardner | ||
Lunar |
Fix Released
|
Medium
|
Tim Gardner | ||
Mantic |
Invalid
|
Medium
|
Tim Gardner | ||
linux-meta-azure (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
Kinetic |
Invalid
|
Undecided
|
Unassigned | ||
Lunar |
Invalid
|
Undecided
|
Unassigned | ||
Mantic |
Invalid
|
Undecided
|
Unassigned | ||
linux-meta-kvm (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
Kinetic |
Invalid
|
Undecided
|
Unassigned | ||
Lunar |
Invalid
|
Undecided
|
Unassigned | ||
Mantic |
Invalid
|
Undecided
|
Unassigned |
Bug Description
SRU Justification
[Impact]
The kvm flavours currently do not enable dm-verity. This stops us from using integrity protected and verified images in VMs using this kernel flavour.
[Fix]
Please consider enabling the following kconfigs:
CONFIG_DM_VERITY
CONFIG_
CONFIG_
CONFIG_
CONFIG_
(The latter two are needed to ensure that MoK keys can be used to verify dm-verity images too, via the machine keyring linked to the secondary keyring)
These are already enabled in the 'main' kernel config, and in other distros.
As a specific and explicit use case, in the systemd project we want to test functionality provided by systemd that needs these kconfigs on Ubuntu machines running the kvm flavour kernel.
To verify whether this works, add a certificate to MOK, boot and check the content of the secondary keyring. The machine keyring should show up under it, and it should show the certificates loaded in MOK. E.g.:
$ sudo keyctl show %:.secondary_
Keyring
159454604 ---lswrv 0 0 keyring: .secondary_
88754641 ---lswrv 0 0 \_ keyring: .builtin_
889010778 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1
799434660 ---lswrv 0 0 | \_ asymmetric: Debian Secure Boot Signer 2022 - linux: 14011249c2675ea
541326986 ---lswrv 0 0 \_ keyring: .machine
188508854 ---lswrv 0 0 \_ asymmetric: Debian Secure Boot CA: 6ccece7e4c6c0d1
475039424 ---lswrv 0 0 \_ asymmetric: sb-bluca: Secure Boot Signing: 9a61c52d07d78a7
[Regression Potential]
MOK keys may not be correctly read.
summary: |
- linux-kvm: please enable dm-verity kconfigs + linux-*: please enable dm-verity kconfigs to allow MoK/db verified root + images |
Changed in linux-meta-azure (Ubuntu): | |
status: | New → Invalid |
Changed in linux-meta-kvm (Ubuntu): | |
status: | New → Invalid |
Changed in linux (Ubuntu): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | Confirmed → In Progress |
Changed in linux (Ubuntu Jammy): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu Kinetic): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu Lunar): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
description: | updated |
Changed in linux-kvm (Ubuntu Jammy): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Kinetic): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Lunar): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Mantic): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux-meta-azure (Ubuntu Jammy): | |
status: | New → Invalid |
Changed in linux-meta-azure (Ubuntu Kinetic): | |
status: | New → Invalid |
Changed in linux (Ubuntu Lunar): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Kinetic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-kinetic removed: verification-needed-kinetic |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: | removed: verification-needed-focal verification-needed-jammy verification-needed-jammy-linux-aws verification-needed-jammy-linux-azure |
tags: | removed: verification-needed-focal-linux-aws-5.15 |
Changed in linux (Ubuntu Mantic): | |
status: | In Progress → Fix Committed |
Changed in linux-kvm (Ubuntu Mantic): | |
status: | In Progress → Invalid |
tags: |
added: verification-done-mantic-linux removed: verification-needed-mantic-linux |
tags: |
added: verification-done-jammy-linux-xilinx-zynqmp removed: verification-needed-jammy-linux-xilinx-zynqmp |
Changed in linux-meta-azure (Ubuntu Lunar): | |
status: | New → Invalid |
Changed in linux-meta-kvm (Ubuntu Jammy): | |
status: | New → Invalid |
Changed in linux-meta-kvm (Ubuntu Kinetic): | |
status: | New → Invalid |
Changed in linux-meta-kvm (Ubuntu Lunar): | |
status: | New → Invalid |
Changed in linux-kvm (Ubuntu Kinetic): | |
status: | In Progress → Invalid |
Also, please enable CONFIG_ DM_VERITY_ VERIFY_ ROOTHASH_ SIG_SECONDARY_ KEYRING on the cloud kernels - especially I am interested in the Azure one. Same reason as above - the other options are already enabled there.