| 2021-05-17 12:55:52 |
Dimitri John Ledkov |
bug |
|
|
added bug |
| 2021-05-17 12:56:16 |
Dimitri John Ledkov |
summary |
Supporting importing dbx keys into revocation list from mok table |
Support importing mokx keys into revocation list from the mok table |
|
| 2021-05-17 12:56:40 |
Dimitri John Ledkov |
cve linked |
|
2020-26541 |
|
| 2021-05-17 12:56:46 |
Dimitri John Ledkov |
information type |
Public |
Public Security |
|
| 2021-05-17 12:56:54 |
Dimitri John Ledkov |
linux (Ubuntu): status |
New |
Confirmed |
|
| 2021-06-05 07:26:56 |
Ubuntu Kernel Bot |
tags |
|
verification-needed-focal |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Focal |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Focal) |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Hirsute) |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
nominated for series |
|
Ubuntu Xenial |
|
| 2021-08-04 15:42:37 |
Dimitri John Ledkov |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2021-08-13 01:18:30 |
Kelsey Steele |
linux (Ubuntu Hirsute): status |
New |
Fix Committed |
|
| 2021-08-17 14:42:04 |
Ubuntu Kernel Bot |
tags |
verification-needed-focal |
verification-needed-focal verification-needed-hirsute |
|
| 2021-08-18 23:09:18 |
Launchpad Janitor |
linux (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2021-09-01 10:26:28 |
Dimitri John Ledkov |
tags |
verification-needed-focal verification-needed-hirsute |
verification-done-hirsute verification-needed-focal |
|
| 2021-09-01 10:34:04 |
Dimitri John Ledkov |
tags |
verification-done-hirsute verification-needed-focal |
verification-done-focal verification-done-hirsute |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
linux (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2021-3653 |
|
| 2021-09-07 13:53:28 |
Launchpad Janitor |
cve linked |
|
2021-3656 |
|
| 2021-09-11 05:23:37 |
AceLan Kao |
bug task added |
|
linux-oem-5.10 (Ubuntu) |
|
| 2021-09-11 05:23:48 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-09-11 05:24:06 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-09-11 05:24:27 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Focal): status |
New |
Fix Committed |
|
| 2021-09-11 05:24:55 |
AceLan Kao |
linux-oem-5.10 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-09-11 05:25:06 |
AceLan Kao |
linux-oem-5.10 (Ubuntu): status |
New |
Invalid |
|
| 2021-09-27 14:53:57 |
Dimitri John Ledkov |
description |
[Impact]
* Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key.
* Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels.
* v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring.
* However, it only does so by reading MokListXRT efi variable.
* Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table.
* We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table
* The above is known as CVE-2020-26541
* Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly.
[Test Plan]
* Boot kernel with 15.4 based Ubuntu shim
* Install keyutils package
* Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012.
* Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked.
[Where problems could occur]
* EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB).
[Other Info]
* The patches to fix the above have been submitted upstream
https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.ledkov@canonical.com/
https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.ledkov@canonical.com/
This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. |
[Impact]
* Ubuntu's 15.4 based shim ships a very large vendor-dbx (aka mokx) which revokes many Ubuntu kernel hashes and 2012 signing key.
* Kernel should import those into it's %:.blacklist keyring such that it prohibits signed kexec of the revoked kernels.
* v5.13-rc1 kernel has learned how to import mokx and how to import full certs into the %:.blacklist keyring.
* However, it only does so by reading MokListXRT efi variable.
* Due to the large size of Ubuntu's vendor-dbx, shim does not create MokListXRT efi variable, but instead creates MokListXRT1 MokListXRT2 MokListXRT3 which currently v5.13-rc1 kernel cannot read. Shim also exposes MokListXRT via mokvar table, which is easier to parse and contains all the revocations in full. Kernel needs a patch to read MokListXRT via mokvar table.
* We have two options on how to proceed from here, either we include the same hashes and certs as our vendordbx in in the kernel as revocation list, or we fix kernel to read MokListXRT via mokvar table
* The above is known as CVE-2020-26541
* Separately it would be nice to add informational dmesg messages when revoking signing certificates, as a good indication that signing key rotation events have happened and have been applied correctly.
[Test Plan]
* Boot kernel with 15.4 based Ubuntu shim
* Install keyutils package
* Execute $ sudo keyctl list %:.blacklist it should list in exccess of 300+ hash entries. It also must list assymetric Canonical signing key from 2012.
* Separately check dmesg to observe that asymmetric canonical signing key from 2012 is revoked.
* $ sudo ls /sys/firmware/efi/mok-variables
MokListRT MokListXRT SbatLevelRT
When booted with shim, the mok-variables directory above should exist, and contain at least `MokListRT MokListXRT SbatLevelRT` files.
In kernel messages, the CA certificate should be loaded via MOKvar table i.e:
* $ sudo journalctl -b -k | grep -A1 'MOKvar table'
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Sep 27 13:11:04 champion-spaniel kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
[Where problems could occur]
* EFI variable storage can be full thus preventing shim to mirror efivars and the moktable. On decent hardware this should not happen, but has been observed to be corrupted on some older EDKII based OVMF instances with small EFI variable storage space (pre-4MB).
[Other Info]
* The patches to fix the above have been submitted upstream
https://lore.kernel.org/keyrings/20210512153100.285169-1-dimitri.ledkov@canonical.com/
https://lore.kernel.org/keyrings/20210512110302.262104-1-dimitri.ledkov@canonical.com/
This will now be submitted as SAUCE patches for the Ubuntu UNSTABLE kernel, until accepted upstream. |
|
| 2021-09-27 15:01:03 |
Dimitri John Ledkov |
bug task added |
|
linux-azure-5.8 (Ubuntu) |
|
| 2021-09-27 15:01:19 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-09-27 15:01:28 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu): status |
New |
Invalid |
|
| 2021-09-27 15:01:39 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-09-27 15:01:49 |
Dimitri John Ledkov |
linux-azure-5.8 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-10-01 15:46:10 |
Dimitri John Ledkov |
merge proposal linked |
|
https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 |
|
| 2021-10-04 09:36:47 |
Stefan Bader |
bug task added |
|
linux-hwe-5.8 (Ubuntu) |
|
| 2021-10-04 09:37:01 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Xenial): status |
New |
Invalid |
|
| 2021-10-04 09:37:21 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Bionic): status |
New |
Invalid |
|
| 2021-10-04 09:37:43 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Hirsute): status |
New |
Invalid |
|
| 2021-10-04 09:38:06 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-10-04 09:38:06 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-10-04 09:38:34 |
Stefan Bader |
linux (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-10-04 09:38:34 |
Stefan Bader |
linux (Ubuntu Focal): status |
New |
In Progress |
|
| 2021-10-04 10:24:35 |
Launchpad Janitor |
linux-oem-5.10 (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-10-04 10:24:35 |
Launchpad Janitor |
cve linked |
|
2021-41073 |
|
| 2021-10-04 14:47:44 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu): status |
New |
Invalid |
|
| 2021-10-04 14:58:21 |
Stefan Bader |
linux-hwe-5.8 (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-10-13 23:46:22 |
Kelsey Steele |
linux (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
linux-azure-5.8 (Ubuntu Focal): status |
New |
Fix Released |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2019-19449 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2020-36311 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-22543 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-3612 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-3759 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-38199 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-38207 |
|
| 2021-10-18 13:16:57 |
Launchpad Janitor |
cve linked |
|
2021-40490 |
|
| 2021-11-30 16:09:43 |
Kleber Sacilotto de Souza |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
| 2021-12-01 14:37:01 |
Ubuntu Kernel Bot |
tags |
verification-done-focal verification-done-hirsute |
verification-done-focal verification-done-hirsute verification-needed-bionic |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
cve linked |
|
2018-25020 |
|
| 2022-01-04 14:22:42 |
Launchpad Janitor |
cve linked |
|
2021-4002 |
|
| 2022-01-04 14:28:24 |
Launchpad Janitor |
linux (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
