kernel-packages team mailing list archive

[Launchpad Bug Tracker <1558553@xxxxxxxxxxxxxxxxxx>]

You have been subscribed to a public bug:

At some point, the IMA keyring changed from _ima to a trusted .ima
keyring.   At that point, we couldn't add keys to the IMA keyring.
Other distros import UEFI keys onto the system keyring.  Another method
of loading keys on the system keyring is needed, which doesn't require
the UEFI keys or rebuilding the kernel.

To resolve this problem, the kernel should be built so that certificate
memory is reserved and randomized.   Two patches are being upstreamed in
this open window (linux-4.6):

8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling

We need to include these Kconfig options to reserve the memory:

CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

An additional patch, which will be upstreamed, is needed to fill the
reserved memory with random data before it is compressed.  (The patch is
attached.)  After compiling the kernel with the reserved memory, the
following build step is required:

scripts/insert-sys-cert -b vmlinux -c /dev/null

If you want to add a cert, the following command will unpack a bzImage,
install the cert (DER format) in the vmlinuz, and repack the bzImage.

scripts/insert-sys-cert -s <System.map> -z <bzImage> -c <certfile>

Contact Information = George Wilson <gcwilson@xxxxxxxxxx> / Mimi Zohar
<zohar@xxxxxxxxxx>

** Affects: linux (Ubuntu)
     Importance: High
     Assignee: Canonical Kernel Team (canonical-kernel-team)
         Status: Triaged


** Tags: architecture-x8664 bugnameltc-139127 severity-high targetmilestone-inin1604
-- 
IMA-appraisal is unusable in Ubuntu 16.04
https://bugs.launchpad.net/bugs/1558553
You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu.