← Back to team overview

kernel-packages team mailing list archive

[Bug 1558553] Comment bridged from LTC Bugzilla

 

------- Comment From gcwilson@xxxxxxxxxx 2016-03-23 10:29 EDT-------
Making comment from Mehmet Kayaalp external:

In the 4.4.0-15.31 kernel the reserved space is not filled with
randomized bytes. The second step of the build seems to be skipped.

---quote---
make vmlinux
scripts/insert-sys-cert -b vmlinux -c /dev/null
make bzImage

The 2nd step above changes the reserved memory to randomized.
---quote---

This results in a larger vmlinux when the key is inserted:

ubuntu@ubuntu-xenial:~$ uname -a
Linux ubuntu-xenial 4.4.0-15-generic #31-Ubuntu SMP Fri Mar 18 19:08:31 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

ubuntu@ubuntu-xenial:~$ sudo grep SYSTEM_EXTRA /boot/config-4.4.0-15-generic
CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

ubuntu@ubuntu-xenial:~$ sudo ./insert-sys-cert -s /boot/System.map-4.4.0-15-generic -z /boot/vmlinuz-4.4.0-15-generic -c cert.x509
...
INFO: Inserted the contents of cert.x509 into ffffffff82075ffa.
INFO: Used 1308 bytes out of 4096 bytes reserved.
INFO: Executing: gzip -n -f -9 <vmlinux-PquuG7 >vmlinux-0ZuoLz
ERROR: Increase in compressed size is not supported.
ERROR: Old size was 6952429, new size is 6956652

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1558553

Title:
  IMA-appraisal is unusable in Ubuntu 16.04

Status in linux package in Ubuntu:
  Fix Released
Status in linux source package in Xenial:
  Fix Released

Bug description:
  At some point, the IMA keyring changed from _ima to a trusted .ima
  keyring.   At that point, we couldn't add keys to the IMA keyring.
  Other distros import UEFI keys onto the system keyring.  Another
  method of loading keys on the system keyring is needed, which doesn't
  require the UEFI keys or rebuilding the kernel.

  To resolve this problem, the kernel should be built so that
  certificate memory is reserved and randomized.   Two patches are being
  upstreamed in this open window (linux-4.6):

  8e16789 KEYS: Use the symbol value for list size, updated by scripts/insert-sys-cert
  c4c3610 KEYS: Reserve an extra certificate symbol for inserting without recompiling

  We need to include these Kconfig options to reserve the memory:

  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096

  An additional patch, which will be upstreamed, is needed to fill the
  reserved memory with random data before it is compressed.  (The patch
  is attached.)  After compiling the kernel with the reserved memory,
  the following build step is required:

  scripts/insert-sys-cert -b vmlinux -c /dev/null

  If you want to add a cert, the following command will unpack a
  bzImage, install the cert (DER format) in the vmlinuz, and repack the
  bzImage.

  scripts/insert-sys-cert -s <System.map> -z <bzImage> -c <certfile>

  Contact Information = George Wilson <gcwilson@xxxxxxxxxx> / Mimi Zohar
  <zohar@xxxxxxxxxx>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1558553/+subscriptions