Add final-checks to check certificates

Bug #1947174 reported by Dimitri John Ledkov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * As part of landing builtin revocation certificates work https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029 it has been identified that many kernels do not correct enforce newly enfoced keys in the derivative flavours. I.e. due to annotations not importing parent annotations, due to not having do_enforce_all, or using older formats of annotations files.

 * As part fips validation work final-checks got added to check and assert that correct things are turned on.

 * It has been agreed that having a final-check for builtin system trusted & revocation certificates would be a good thing. If packaging declares that certain certificates should be built-in trusted or revoked, the kernel must be configured pointing at the packaging generated .pem bundle in the config.

[Test Plan]

 * Kernel should build
 * If trusted or revocation are configured in packaging but the config option is misconfigured (i.e. typo or not set), the kernel build and cranky close should fail

[Where problems could occur]

 * This is a packaging change only, thus may result in valid kernels ftbfs but should be easy to rectify.

[Other Info]

 * Also see

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1932029

and kernels that derived from a primary kernel that had that fixed, and the subsequently failed boot testing due to not enabling those options.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1947174

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Impish):
status: Incomplete → In Progress
Changed in linux (Ubuntu Hirsute):
status: New → In Progress
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Hirsute):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Impish):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.11.0-39.43 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-hirsute
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.4.0-90.101 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.13.0-21.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-impish
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/4.15.0-162.170 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Tim Gardner (timg-tpi) wrote :

verification-done-hirsute:

dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.11.0-40.44/linux_5.11.0-40.44.dsc
dpkg-source -x linux_5.11.0-40.44.dsc
grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.11.0/debian/scripts/misc/final-checks
    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"

tags: added: verification-done-hirsute
removed: verification-needed-hirsute
Revision history for this message
Tim Gardner (timg-tpi) wrote :

verification-done-impish:

dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.13.0-21.21/linux_5.13.0-21.21.dsc
dpkg-source -x linux_5.13.0-21.21.dsc
grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.13.0/debian/scripts/misc/final-checks
    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"

tags: added: verification-done-impish
removed: verification-needed-impish
Revision history for this message
Tim Gardner (timg-tpi) wrote :

verification-done-focal:

dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/5.4.0-90.101/linux_5.4.0-90.101.dsc
dpkg-source -x linux_5.4.0-90.101.dsc
grep CONFIG_SYSTEM_TRUSTED_KEYS linux-5.4.0/debian/scripts/misc/final-checks
    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Tim Gardner (timg-tpi) wrote :

verification-done-bionic:

dget https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/ppa/+sourcefiles/linux/4.15.0-162.170/linux_4.15.0-162.170.dsc
dpkg-source -x linux_4.15.0-162.170.dsc
grep CONFIG_SYSTEM_TRUSTED_KEYS linux-4.15.0/debian/scripts/misc/final-checks
    if ! grep -q '^CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"$' $debian/config/config.common.ubuntu; then
        failure "'CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"' is required"

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (18.4 KiB)

This bug was fixed in the package linux - 4.15.0-162.170

---------------
linux (4.15.0-162.170) bionic; urgency=medium

  * bionic/linux: 4.15.0-162.170 -proposed tracker (LP: #1947293)

  * Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check

  * CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

  * CVE-2021-28950
    - fuse: fix live lock in fuse_iget()

  * CVE-2020-36322
    - fuse: fix bad inode

  * Bionic update: upstream stable patchset 2021-10-13 (LP: #1947011)
    - rcu: Fix missed wakeup of exp_wq waiters
    - apparmor: remove duplicate macro list_entry_is_head()
    - crypto: talitos - fix max key size for sha384 and sha512
    - sctp: validate chunk size in __rcv_asconf_lookup
    - sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
    - dmaengine: acpi: Avoid comparison GSI with Linux vIRQ
    - thermal/drivers/exynos: Fix an error code in exynos_tmu_probe()
    - 9p/trans_virtio: Remove sysfs file on probe failure
    - prctl: allow to setup brk for et_dyn executables
    - profiling: fix shift-out-of-bounds bugs
    - pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was
      registered
    - Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH
    - parisc: Move pci_dev_is_behind_card_dino to where it is used
    - dmaengine: ioat: depends on !UML
    - dmaengine: xilinx_dma: Set DMA mask for coherent APIs
    - ceph: lockdep annotations for try_nonblocking_invalidate
    - nilfs2: fix memory leak in nilfs_sysfs_create_device_group
    - nilfs2: fix NULL pointer in nilfs_##name##_attr_release
    - nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group
    - nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group
    - nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group
    - nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group
    - pwm: rockchip: Don't modify HW state in .remove() callback
    - blk-throttle: fix UAF by deleteing timer in blk_throtl_exit()
    - drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV
    - nilfs2: use refcount_dec_and_lock() to fix potential UAF
    - drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION()

  * Invalid backport to v4.15: missing pgtable_l5_enabled (LP: #1946464)
    - SAUCE: Revert "x86/mm: Don't free P4D table when it is folded at runtime"

  * CVE-2021-38199
    - NFSv4: Initialise connection to the server in nfs4_alloc_client()

  * CVE-2019-19449
    - f2fs: fix wrong total_sections check and fsmeta check
    - f2fs: fix to do sanity check on segment/section count

  * vrf: fix refcnt leak with vxlan slaves (LP: #1945180)
    - ipv4: Fix device used for dst_alloc with local routes

  * Check for changes relevant for security certifications (LP: #1945989)
    - [Packaging] Add a new fips-checks script
    - [Packaging] Add fips-checks as part of finalchecks

  * CVE-2021-3759
    - memcg: enable accounting of ipc resources

  * Bionic update: upstream stable patchset 2021-09-27 (LP: #1945224)
...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (32.6 KiB)

This bug was fixed in the package linux - 5.4.0-90.101

---------------
linux (5.4.0-90.101) focal; urgency=medium

  * focal/linux: 5.4.0-90.101 -proposed tracker (LP: #1947260)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.10.18)

  * Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check

  * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s
    Gen2 (LP: #1939052)
    - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
      15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s
      Gen2

  * CVE-2020-36385
    - RDMA/cma: Add missing locking to rdma_accept()
    - RDMA/ucma: Fix the locking of ctx->file
    - RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy

  * Focal update: v5.4.148 upstream stable release (LP: #1946802)
    - rtc: tps65910: Correct driver module alias
    - btrfs: wake up async_delalloc_pages waiters after submit
    - btrfs: reset replace target device to allocation state on close
    - blk-zoned: allow zone management send operations without CAP_SYS_ADMIN
    - blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN
    - PCI/MSI: Skip masking MSI-X on Xen PV
    - powerpc/perf/hv-gpci: Fix counter value parsing
    - xen: fix setting of max_pfn in shared_info
    - include/linux/list.h: add a macro to test if entry is pointing to the head
    - 9p/xen: Fix end of loop tests for list_for_each_entry
    - tools/thermal/tmon: Add cross compiling support
    - pinctrl: stmfx: Fix hazardous u8[] to unsigned long cast
    - pinctrl: ingenic: Fix incorrect pull up/down info
    - soc: qcom: aoss: Fix the out of bound usage of cooling_devs
    - soc: aspeed: lpc-ctrl: Fix boundary check for mmap
    - soc: aspeed: p2a-ctrl: Fix boundary check for mmap
    - arm64: head: avoid over-mapping in map_memory
    - crypto: public_key: fix overflow during implicit conversion
    - block: bfq: fix bfq_set_next_ioprio_data()
    - power: supply: max17042: handle fails of reading status register
    - dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc()
    - VMCI: fix NULL pointer dereference when unmapping queue pair
    - media: uvc: don't do DMA on stack
    - media: rc-loopback: return number of emitters rather than error
    - Revert "dmaengine: imx-sdma: refine to load context only once"
    - dmaengine: imx-sdma: remove duplicated sdma_load_context
    - libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs
    - ARM: 9105/1: atags_to_fdt: don't warn about stack size
    - PCI/portdrv: Enable Bandwidth Notification only if port supports it
    - PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported
    - PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure
    - PCI: xilinx-nwl: Enable the clock through CCF
    - PCI: aardvark: Fix checking for PIO status
    - PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response
    - PCI: aardvark: Fix masking and unmasking legacy INTx interrupts
    - HID...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (20.0 KiB)

This bug was fixed in the package linux - 5.11.0-40.44

---------------
linux (5.11.0-40.44) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-40.44 -proposed tracker (LP: #1947876)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.10.18)

linux (5.11.0-39.43) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-39.43 -proposed tracker (LP: #1947227)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.10.18)

  * Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check

  * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s
    Gen2 (LP: #1939052)
    - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
      15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s
      Gen2

  * Fix cold plugged USB device on certain PCIe USB cards (LP: #1945211)
    - Revert "UBUNTU: SAUCE: Revert "usb: core: reduce power-on-good delay time of
      root hub""
    - usb: core: hcd: Add support for deferring roothub registration
    - xhci: Set HCD flag to defer primary roothub registration
    - usb: core: hcd: Modularize HCD stop configuration in usb_stop_hcd()

  * Hirsute update: upstream stable patchset 2021-10-12 (LP: #1946788)
    - locking/mutex: Fix HANDOFF condition
    - regmap: fix the offset of register error log
    - regulator: tps65910: Silence deferred probe error
    - crypto: mxs-dcp - Check for DMA mapping errors
    - sched/deadline: Fix reset_on_fork reporting of DL tasks
    - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb
      errors
    - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop()
    - sched/deadline: Fix missing clock update in migrate_task_rq_dl()
    - rcu/tree: Handle VM stoppage in stall detection
    - EDAC/mce_amd: Do not load edac_mce_amd module on guests
    - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns()
    - hrtimer: Ensure timerfd notification for HIGHRES=n
    - udf: Check LVID earlier
    - udf: Fix iocharset=utf8 mount option
    - isofs: joliet: Fix iocharset=utf8 mount option
    - bcache: add proper error unwinding in bcache_device_init
    - blk-throtl: optimize IOPS throttle for large IO scenarios
    - nvme-tcp: don't update queue count when failing to set io queues
    - nvme-rdma: don't update queue count when failing to set io queues
    - nvmet: pass back cntlid on successful completion
    - power: supply: smb347-charger: Add missing pin control activation
    - power: supply: max17042_battery: fix typo in MAx17042_TOFF
    - s390/cio: add dev_busid sysfs entry for each subchannel
    - s390/zcrypt: fix wrong offset index for APKA master key valid state
    - libata: fix ata_host_start()
    - crypto: omap - Fix inconsistent locking of device lists
    - crypto: qat - do not ignore errors from enable_vf2pf_comms()
    - crypto: qat - handle both source of interrupt in VF ISR
    - crypto: qat - fix reuse of completion variable
    -...

Changed in linux (Ubuntu Hirsute):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (23.5 KiB)

This bug was fixed in the package linux - 5.13.0-21.21

---------------
linux (5.13.0-21.21) impish; urgency=medium

  * impish/linux: 5.13.0-21.21 -proposed tracker (LP: #1947347)

  * It hangs while booting up with AMD W6800 [1002:73A3] (LP: #1945553)
    - drm/amdgpu: Rename flag which prevents HW access
    - drm/amd/pm: Fix a bug communicating with the SMU (v5)
    - drm/amd/pm: Fix a bug in semaphore double-lock

  * Add final-checks to check certificates (LP: #1947174)
    - [Packaging] Add system trusted and revocation keys final check

  * No sound on Lenovo laptop models Legion 15IMHG05, Yoga 7 14ITL5, and 13s
    Gen2 (LP: #1939052)
    - ALSA: hda/realtek: Quirks to enable speaker output for Lenovo Legion 7i
      15IMHG05, Yoga 7i 14ITL5/15ITL5, and 13s Gen2 laptops.
    - ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo 13s
      Gen2

  * Check for changes relevant for security certifications (LP: #1945989)
    - [Packaging] Add a new fips-checks script
    - [Packaging] Add fips-checks as part of finalchecks

  * BCM57800 SRIOV bug causes interfaces to disappear (LP: #1945707)
    - bnx2x: Fix enabling network interfaces without VFs

  * CVE-2021-3759
    - memcg: enable accounting of ipc resources

  * [impish] Remove the downstream xr-usb-uart driver (LP: #1945938)
    - SAUCE: xr-usb-serial: remove driver
    - [Config] update modules list

  * Fix A yellow screen pops up in an instant (< 1 second) and then disappears
    before loading the system (LP: #1945932)
    - drm/i915: Stop force enabling pipe bottom color gammma/csc

  * Impish update: v5.13.18 upstream stable release (LP: #1946249)
    - Linux 5.13.18

  * Impish update: v5.13.17 upstream stable release (LP: #1946247)
    - locking/mutex: Fix HANDOFF condition
    - regmap: fix the offset of register error log
    - regulator: tps65910: Silence deferred probe error
    - crypto: mxs-dcp - Check for DMA mapping errors
    - sched/deadline: Fix reset_on_fork reporting of DL tasks
    - power: supply: axp288_fuel_gauge: Report register-address on readb / writeb
      errors
    - crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop()
    - sched/deadline: Fix missing clock update in migrate_task_rq_dl()
    - rcu/tree: Handle VM stoppage in stall detection
    - EDAC/mce_amd: Do not load edac_mce_amd module on guests
    - hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns()
    - hrtimer: Ensure timerfd notification for HIGHRES=n
    - udf: Check LVID earlier
    - udf: Fix iocharset=utf8 mount option
    - isofs: joliet: Fix iocharset=utf8 mount option
    - bcache: add proper error unwinding in bcache_device_init
    - nbd: add the check to prevent overflow in __nbd_ioctl()
    - blk-throtl: optimize IOPS throttle for large IO scenarios
    - nvme-tcp: don't update queue count when failing to set io queues
    - nvme-rdma: don't update queue count when failing to set io queues
    - nvmet: pass back cntlid on successful completion
    - power: supply: smb347-charger: Add missing pin control activation
    - power: supply: max17042_battery: fix typo in MAx17042_TOFF
    - s390/cio: add dev_busid sysfs entry f...

Changed in linux (Ubuntu Impish):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.