[{bionic, focal, groovy}:linux 3/4] UBUNTU: [Config] add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS
Tim Gardner
tim.gardner at canonical.com
Thu Feb 18 19:12:46 UTC 2021
The way that kernels are signed in the deep, dark recesses of the
private kernel PPA has always been a bit of black magic to me. Given my
ignorance, exposing keys like this in source code seems like a bad idea.
Can you explain how they are being used ? Will they ever expire or change ?
rtg
On 2/18/21 9:17 AM, Andy Whitcroft wrote:
> From: Dimitri John Ledkov <xnox at ubuntu.com>
>
> Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
> livepatch modules signed by Canonical are trusted out of the box, on
> locked-down secureboot systems.
>
> BugLink: https://bugs.launchpad.net/bugs/1898716
> Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
> [apw at canonical.com: move certification to cert framework.]
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
> debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
> 1 file changed, 121 insertions(+)
> create mode 100644 debian/certs/canonical-livepatch-all.pem
>
> diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
> new file mode 100644
> index 000000000000..3f360f74344d
> --- /dev/null
> +++ b/debian/certs/canonical-livepatch-all.pem
> @@ -0,0 +1,121 @@
> +Certificate:
> + Data:
> + Version: 3 (0x2)
> + Serial Number:
> + c7:7e:51:6a:1c:25:cd:40
> + Signature Algorithm: sha512WithRSAEncryption
> + Issuer: CN = Canonical Ltd. Live Patch Signing
> + Validity
> + Not Before: Jul 18 23:41:27 2016 GMT
> + Not After : Jul 16 23:41:27 2026 GMT
> + Subject: CN = Canonical Ltd. Live Patch Signing
> + Subject Public Key Info:
> + Public Key Algorithm: rsaEncryption
> + RSA Public-Key: (4096 bit)
> + Modulus:
> + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
> + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
> + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
> + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
> + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
> + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
> + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
> + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
> + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
> + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
> + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
> + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
> + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
> + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
> + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
> + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
> + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
> + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
> + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
> + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
> + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
> + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
> + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
> + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
> + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
> + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
> + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
> + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
> + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
> + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
> + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
> + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
> + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
> + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
> + 5f:e5:a3
> + Exponent: 65537 (0x10001)
> + X509v3 extensions:
> + X509v3 Basic Constraints: critical
> + CA:FALSE
> + X509v3 Key Usage:
> + Digital Signature
> + X509v3 Subject Key Identifier:
> + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> + X509v3 Authority Key Identifier:
> + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
> +
> + Signature Algorithm: sha512WithRSAEncryption
> + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
> + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
> + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
> + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
> + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
> + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
> + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
> + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
> + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
> + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
> + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
> + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
> + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
> + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
> + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
> + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
> + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
> + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
> + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
> + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
> + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
> + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
> + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
> + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
> + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
> + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
> + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
> + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
> + 76:ed:66:38:e2:70:08:00
> +-----BEGIN CERTIFICATE-----
> +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
> +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
> +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
> +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
> +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
> +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
> +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
> +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
> +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
> +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
> +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
> +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
> +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
> +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
> +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
> +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
> +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
> +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
> +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
> +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
> +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
> +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
> +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
> +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
> +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
> +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
> +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
> +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
> +-----END CERTIFICATE-----
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list