* Kernels have a set of builtin trusted and revoked certificates as a bundle
* It is not very easy to access them, one needs to either download linux kernel package source code; or boot the kernel look up builtin hashes; and then find certificates externally
* It would be more convenient for inspection to expose these in the buildinfo package, which already exposes auxiliary kernel information
[ Test Plan ]
* sudo apt install linux-buildinfo-$(uname -r)
* check that /usr/lib/linux/$(uname -r)/canonical-certs.pem exists and contains livepatch cert
* check that /usr/lib/linux/$(uname -r)/canonical-uefi-2012-all.pem exists and contains 2012 cert
[ Where problems could occur ]
* buildinfo is an auxiliary package not installed by default, but used by developer tooling and packaging.
[ Impact ]
* Kernels have a set of builtin trusted and revoked certificates as a bundle
* It is not very easy to access them, one needs to either download linux kernel package source code; or boot the kernel look up builtin hashes; and then find certificates externally
* It would be more convenient for inspection to expose these in the buildinfo package, which already exposes auxiliary kernel information
[ Test Plan ]
* sudo apt install linux-buildinfo -$(uname -r) linux/$ (uname -r)/canonical- certs.pem exists and contains livepatch cert linux/$ (uname -r)/canonical- uefi-2012- all.pem exists and contains 2012 cert
* check that /usr/lib/
* check that /usr/lib/
[ Where problems could occur ]
* buildinfo is an auxiliary package not installed by default, but used by developer tooling and packaging.