group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1928679] Re: Support importing mokx keys into revocation list from the mok table

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1928679@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Oct 2021 13:16:57 -0000
Reply-to: Bug 1928679 <1928679@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
This bug was fixed in the package linux-azure-5.8 -
5.8.0-1043.46~20.04.1

---------------
linux-azure-5.8 (5.8.0-1043.46~20.04.1) focal; urgency=medium

  * focal/linux-azure-5.8: 5.8.0-1043.46~20.04.1 -proposed tracker
    (LP: #1944902)

  * Support builtin revoked certificates (LP: #1932029)
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

  [ Ubuntu: 5.8.0-66.74 ]

  * focal/linux-hwe-5.8: 5.8.0-66.74 -proposed tracker (LP: #1944903)
  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.27)
  * linux: btrfs: fix NULL pointer dereference when deleting device by invalid
    id (LP: #1945987)
    - btrfs: fix NULL pointer dereference when deleting device by invalid id
  * CVE-2021-38199
    - NFSv4: Initialise connection to the server in nfs4_alloc_client()
  * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
    - bnx2x: Fix enabling network interfaces without VFs
  * CVE-2021-3759
    - memcg: enable accounting of ipc resources
  * CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count
  * Support builtin revoked certificates (LP: #1932029)
    - Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded"
    - integrity: Move import of MokListRT certs to a separate routine
    - integrity: Load certs from the EFI MOK config table
    - certs: Add EFI_CERT_X509_GUID support for dbx entries
    - certs: Move load_system_certificate_list to a common function
    - certs: Add ability to preload revocation certs
    - integrity: Load mokx variables into the blacklist keyring
    - certs: add 'x509_revocation_list' to gitignore
    - SAUCE: Dump stack when X.509 certificates cannot be loaded
    - [Packaging] build canonical-revoked-certs.pem from branch/arch certs
    - [Packaging] Revoke 2012 UEFI signing certificate as built-in
    - [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679)
    - efi: Support for MOK variable config table
    - efi: mokvar-table: fix some issues in new code
    - efi: mokvar: add missing include of asm/early_ioremap.h
    - efi/mokvar: Reserve the table only if it is in boot services data
    - SAUCE: integrity: add informational messages when revoking certs
  * Support importing mokx keys into revocation list from the mok table
    (LP: #1928679) // CVE-2020-26541 when certificates are revoked via
    MokListXRT.
    - SAUCE: integrity: Load mokx certs from the EFI MOK config table
  * CVE-2020-36311
    - KVM: SVM: Periodically schedule when unregistering regions on destroy
  * CVE-2021-22543
    - KVM: do not allow mapping valid but non-reference-counted pages
  * CVE-2021-3612
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
  * CVE-2021-38207
    - net: ll_temac: Fix TX BD buffer overwrite
  * CVE-2021-40490
    - ext4: fix race writing to an inline_data file while its xattrs are changing
  *  LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

 -- Marcelo Henrique Cerri <marcelo.cerri@xxxxxxxxxxxxx>  Thu, 07 Oct
2021 09:39:35 -0300

** Changed in: linux-azure-5.8 (Ubuntu Focal)
       Status: New => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19449

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-36311

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22543

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3612

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3759

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38199

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-38207

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-40490

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1928679

Title:
  Support importing mokx keys into revocation list from the mok table

Status in linux package in Ubuntu:
  Fix Released
Status in linux-azure-5.8 package in Ubuntu:
  Invalid
Status in linux-hwe-5.8 package in Ubuntu:
  Invalid
Status in linux-oem-5.10 package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  New
Status in linux-azure-5.8 source package in Xenial:
  Invalid
Status in linux-hwe-5.8 source package in Xenial:
  Invalid
Status in linux-oem-5.10 source package in Xenial:
  Invalid
Status in linux source package in Bionic:
  New
Status in linux-azure-5.8 source package in Bionic:
  Invalid
Status in linux-hwe-5.8 source package in Bionic:
  Invalid
Status in linux-oem-5.10 source package in Bionic:
  Invalid
Status in linux source package in Focal:
  Fix Committed
Status in linux-azure-5.8 source package in Focal:
  Fix Released
Status in linux-hwe-5.8 source package in Focal:
  Fix Committed
Status in linux-oem-5.10 source package in Focal:
  Fix Released
Status in linux source package in Hirsute:
  Fix Released
Status in linux-azure-5.8 source package in Hirsute:
  Invalid
Status in linux-hwe-5.8 source package in Hirsute:
  Invalid
Status in linux-oem-5.10 source package in Hirsute:
  Invalid

Bug description:
  [Impact]

   * Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx)
  which revokes many Ubuntu kernel hashes and 2012 signing key.

   * Kernel should import those into it's %:.blacklist keyring such that
  it prohibits signed kexec of the revoked kernels.

   * v5.13-rc1 kernel has learned how to import mokx and how to import
  full certs into the %:.blacklist keyring.

   * However, it only does so by reading MokListXRT efi variable.

   * Due to the large size of Ubuntu's vendor-dbx, shim does not create
  MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2
  MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also
  exposes MokListXRT via mokvar table, which is easier to parse and
  contains all the revocations in full. Kernel needs a patch to read
  MokListXRT via mokvar table.

   * We have two options on how to proceed from here, either we include
  the same hashes and certs as our vendordbx in in the kernel as
  revocation list, or we fix kernel to read MokListXRT via mokvar table

   * The above is known as CVE-2020-26541

   * Separately it would be nice to add informational dmesg messages
  when revoking signing certificates, as a good indication that signing
  key rotation events have happened and have been applied correctly.

  [Test Plan]

   * Boot kernel with 15.4 based Ubuntu shim

   * Install keyutils package

   * Execute $ sudo keyctl list %:.blacklist it should list in exccess
  of 300+ hash entries. It also must list assymetric Canonical signing
  key from 2012.

   * Separately check dmesg to observe that asymmetric canonical signing
  key from 2012 is revoked.

    * $ sudo ls /sys/firmware/efi/mok-variables
      MokListRT  MokListXRT  SbatLevelRT

  When booted with shim, the mok-variables directory above should exist,
  and contain at least `MokListRT  MokListXRT  SbatLevelRT` files.

  In kernel messages, the CA certificate should be loaded via MOKvar
  table i.e:

     * $ sudo journalctl -b -k | grep -A1 'MOKvar table'
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
  Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63

  [Where problems could occur]

   * EFI variable storage can be full thus preventing shim to mirror
  efivars and the moktable. On decent hardware this should not happen,
  but has been observed to be corrupted on some older EDKII based OVMF
  instances with small EFI variable storage space (pre-4MB).

  [Other Info]

   * The patches to fix the above have been submitted upstream

  https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.ledkov@xxxxxxxxxxxxx/

  https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.ledkov@xxxxxxxxxxxxx/

  This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE
  kernel, until accepted upstream.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1928679/+subscriptions