group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1932029] Re: Support builtin revoked certificates

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1932029@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Oct 2021 13:16:57 -0000
Reply-to: Bug 1932029 <1932029@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package linux-azure-5.8 -
5.8.0-1043.46~20.04.1

---------------
linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium

  * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker
    (LP: #1944902)

  * Support builtin revoked certificates (LP: #1932029)
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  [ Ubuntu: 5.8.0-66.74 ]

  * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903)
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.27)
  * linux: btrfs: fix NULL pointer dereference when deleting device by invalid
    id (LP: #1945987)
    - btrfs: fix NULL pointer dereference when deleting device by invalid id
  * CVE-2021-38199
    - NFSv4: Initialise connection to the server in nfs4_alloc_client()
  * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
    - bnx2x: Fix enabling network interfaces without VFs
  * CVE-2021-3759
    - memcg: enable accounting of ipc resources
  * CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count
  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded"
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add EFI_CERT_X509_GUID support for dbx entries
    - certs: Move load_system_certificate_list to a common function
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table
  * CVE-2020-36311
    - KVM: SVM: Periodically schedule when unregistering regions on destroy
  * CVE-2021-22543
    - KVM: do not allow mapping valid but non-reference-counted pages
  * CVE-2021-3612
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
  * CVE-2021-38207
    - net: ll_temac: Fix TX BD buffer overwrite
  * CVE-2021-40490
    - ext4: fix race writing to an inline_data file while its xattrs are changing
  *  LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

 -- Marcelo Henrique Cerri <marcelo.cerri@xxxxxxxxxxxxx>  Thu, 07 Oct
2021 09:39:35 -0300

** Changed in: linux-azure-5.8 (Ubuntu Focal)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1932029

Title:
  Support builtin revoked certificates

Status in linux package in Ubuntu:
  Fix Released
Status in linux-azure-5.8 package in Ubuntu:
  Invalid
Status in linux-hwe-5.8 package in Ubuntu:
  Invalid
Status in linux-oem-5.10 package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  New
Status in linux-azure-5.8 source package in Xenial:
  Invalid
Status in linux-hwe-5.8 source package in Xenial:
  Invalid
Status in linux-oem-5.10 source package in Xenial:
  Invalid
Status in linux source package in Bionic:
  New
Status in linux-azure-5.8 source package in Bionic:
  Invalid
Status in linux-hwe-5.8 source package in Bionic:
  Invalid
Status in linux-oem-5.10 source package in Bionic:
  Invalid
Status in linux source package in Focal:
  Fix Committed
Status in linux-azure-5.8 source package in Focal:
  Fix Released
Status in linux-hwe-5.8 source package in Focal:
  Fix Committed
Status in linux-oem-5.10 source package in Focal:
  Fix Released
Status in linux source package in Hirsute:
  Fix Released
Status in linux-azure-5.8 source package in Hirsute:
  Invalid
Status in linux-hwe-5.8 source package in Hirsute:
  Invalid
Status in linux-oem-5.10 source package in Hirsute:
  Invalid

Bug description:
  [Impact]

  Upstream linux kernel now supports configuring built-in revoked
  certificates for the .blacklist keyring.

  Add support in our kernel configuration to have built-in revoked
  certificates.

  Revoke UEFI amd64 & arm64 2012 signing certificate.

  Under UEFI Secureboot with lockdown, shim may attempt to communicate
  revoked certificates to the kernel and depending on how good EFI
  firmware is, this may or may not succeed.

  By having these built-in, it will be prohibited to kexec file_load
  older kernels that were signed with now revoked certificates, however
  one boots.

  [Test Plan]

   * Boot kernel directly, or just with grub, and without shim

   * Check that

  $ sudo keyctl list %:.blacklist

  Contains asymmetric 2012 key.

  [Where problems could occur]

   * Derivative and per-arch kernels may need to revoke different keys,
  thus this should be evaluated on per arch & flavour basis as to which
  keys to revoke.

  [Other Info]

   * In theory, this only needs to be revoked on amd64 and arm64, but
  empty revocation list is not allowed by the kernel configury, thus at
  the moment revoking 2012 UEFI cert for all architectures.

   * an ubuntu kernel team regression test is being added to assert that expected revoked certificates have been revoked
  see https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html

   * Previous reviews

  Unstable & v5.13: https://lists.ubuntu.com/archives/kernel-
  team/2021-June/121362.html

  Hirsute & v5.11: https://lists.ubuntu.com/archives/kernel-
  team/2021-August/122996.html

  Focal & v5.10 (oem): https://lists.ubuntu.com/archives/kernel-
  team/2021-August/123470.html

  Focal & v5.8 (azure): https://lists.ubuntu.com/archives/kernel-
  team/2021-September/124336.html

  Focal & v5.4: https://lists.ubuntu.com/archives/kernel-
  team/2021-October/124497.html

  Bionic & v4.15: TODO

  Xenial & v4.4: TODO

  Trusty & v3.13: TODO

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029/+subscriptions