group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #01243
[Bug 1558553] Re: IMA-appraisal is unusable in Ubuntu 16.04
** Also affects: linux (Ubuntu Xenial)
Importance: High
Assignee: Canonical Kernel Team (canonical-kernel-team)
Status: Triaged
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => In Progress
** Changed in: linux (Ubuntu Xenial)
Assignee: Canonical Kernel Team (canonical-kernel-team) => Tim Gardner (timg-tpi)
** Changed in: linux (Ubuntu Xenial)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1558553
Title:
IMA-appraisal is unusable in Ubuntu 16.04
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Xenial:
Fix Committed
Bug description:
At some point, the IMA keyring changed from _ima to a trusted .ima
keyring. At that point, we couldn't add keys to the IMA keyring.
Other distros import UEFI keys onto the system keyring. Another
method of loading keys on the system keyring is needed, which doesn't
require the UEFI keys or rebuilding the kernel.
To resolve this problem, the kernel should be built so that
certificate memory is reserved and randomized. Two patches are being
upstreamed in this open window (linux-4.6):
8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling
We need to include these Kconfig options to reserve the memory:
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
An additional patch, which will be upstreamed, is needed to fill the
reserved memory with random data before it is compressed. (The patch
is attached.) After compiling the kernel with the reserved memory,
the following build step is required:
scripts/insert-sys-cert -b vmlinux -c /dev/null
If you want to add a cert, the following command will unpack a
bzImage, install the cert (DER format) in the vmlinuz, and repack the
bzImage.
scripts/insert-sys-cert -s <System.map> -z <bzImage> -c <certfile>
Contact Information = George Wilson <gcwilson@xxxxxxxxxx> / Mimi Zohar
<zohar@xxxxxxxxxx>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions