NACK: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates

Dimitri John Ledkov dimitri.ledkov at canonical.com
Thu Aug 12 09:04:14 UTC 2021 

On Mon, Aug 9, 2021 at 1:19 PM Tim Gardner <tim.gardner at canonical.com> wrote:
>
>
>
> On 8/5/21 8:59 AM, Dimitri John Ledkov wrote:
> > In Impish, support was added to load revoked certificates from mokx
> > (submitted upstream, revied, not accepted yet) into blacklist keyring.
> >

Note mentioning that SAUCE patches have not been accepted upstream anywhere.

> > Also in Impish, from upstream, there is now support to have built-in
> > revoked keys. And we have 2012 UEFI key revoked by default (as also
> > revoked globally via uefi dbx update).
> >
> > Backport both of the above things to Hirsute, such that our kernels
> > honor mokx revocations, and also have the 2012 key revoked always
> > (when booted with or without working shim).
> >
> > This patch series was test built and tested using the revocations list
> > test case that is proposed for RT ubuntu_boot test. See
> > https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html
> >
> > BugLink: https://bugs.launchpad.net/bugs/1928679
> > BugLink: https://bugs.launchpad.net/bugs/1932029
> >
> > Dimitri John Ledkov (5):
> >    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
> >      table
> >    UBUNTU: SAUCE: integrity: add informational messages when revoking
> >      certs
> >    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> >      certs
> >    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> >    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> >      keys
> >
> >   certs/blacklist.c                             |  3 +
> >   debian.master/config/annotations              |  1 +
> >   debian.master/config/config.common.ubuntu     |  2 +-
> >   .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
> >   debian/rules                                  | 14 ++-
> >   .../platform_certs/keyring_handler.c          |  1 +
> >   security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
> >   7 files changed, 145 insertions(+), 36 deletions(-)
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
> >
>
> None of the git SHA1 commit IDs appear to be valid in upstream linux or
> even linux-next.
>
> rtg

That is why they still have the SAUCE title, and point at commits from
impish series. They have been submitted upstream, but they are not
getting reviewed / applied for a long time now. I suspect it is mostly
because Debian already carries an equivalent patch (for mok config
table) and all other distros are unaffected (they don't use CA inside
shim) / don't care (to allow users to self revoke many signing
certificates).

I thought I made this clear in the opening paragraph of the cover
letter. (albeit there is a typpo "revied" => "reviewed"). The git-sha
reference will become meaningless once the unstable kernel is rebased
onto v5.14, but it will be valid whilst impish kernels are still in
use.

I was not sure how to best indicate that these patches have already
been through review to get into impish kernel.

-- 
Regards,

Dimitri.

More information about the kernel-team mailing list