[{bionic, focal, groovy}:linux 3/4] UBUNTU: [Config] add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS
Tim Gardner
tim.gardner at canonical.com
Fri Feb 19 14:54:05 UTC 2021
On 2/19/21 7:38 AM, Seth Forshee wrote:
> On Thu, Feb 18, 2021 at 12:12:46PM -0700, Tim Gardner wrote:
>> The way that kernels are signed in the deep, dark recesses of the private
>> kernel PPA has always been a bit of black magic to me. Given my ignorance,
>> exposing keys like this in source code seems like a bad idea. Can you
>> explain how they are being used ? Will they ever expire or change ?
>
> Effectively both are module signing keys. The keys are not "exposed."
> The public key will be baked into the kernel while the private key
> remains secret. The ephemeral build-time module signing key also has the
> public key statically built into the kernel keyring; only the private
> key is discarded.
>
> When these need to be rotated it's just a matter of putting the new keys
> in the next upload, at least on the kernel side.
>
> There probably is a small security cost to using these keys. At minimum
> a compromise of one of the keys affects more kernels. But this is also
> the case for the secure boot signing keys, so imo the impact is pretty
> marginal.
>
> Seth
>
I think I understand. I had not considered that the signing process is
now using a static key pair instead of the kernel build time ephemeral
key. We could dispense with the ephemeral key altogether and achieve the
same result. For instance, it might be useful for signing DKMS modules
as well. Wouldn't that reduce some of the current build and packaging
complexity for out of tree modules supported by Ubuntu ?
rtg
>>
>> rtg
>>
>> On 2/18/21 9:17 AM, Andy Whitcroft wrote:
>>> From: Dimitri John Ledkov <xnox at ubuntu.com>
>>>
>>> Add Canonical Livepatch Service key to SYSTEM_TRUSTED_KEYS, such that
>>> livepatch modules signed by Canonical are trusted out of the box, on
>>> locked-down secureboot systems.
>>>
>>> BugLink: https://bugs.launchpad.net/bugs/1898716
>>> Signed-off-by: Dimitri John Ledkov <xnox at ubuntu.com>
>>> [apw at canonical.com: move certification to cert framework.]
>>> Signed-off-by: Andy Whitcroft <apw at canonical.com>
>>> ---
>>> debian/certs/canonical-livepatch-all.pem | 121 +++++++++++++++++++++++
>>> 1 file changed, 121 insertions(+)
>>> create mode 100644 debian/certs/canonical-livepatch-all.pem
>>>
>>> diff --git a/debian/certs/canonical-livepatch-all.pem b/debian/certs/canonical-livepatch-all.pem
>>> new file mode 100644
>>> index 000000000000..3f360f74344d
>>> --- /dev/null
>>> +++ b/debian/certs/canonical-livepatch-all.pem
>>> @@ -0,0 +1,121 @@
>>> +Certificate:
>>> + Data:
>>> + Version: 3 (0x2)
>>> + Serial Number:
>>> + c7:7e:51:6a:1c:25:cd:40
>>> + Signature Algorithm: sha512WithRSAEncryption
>>> + Issuer: CN = Canonical Ltd. Live Patch Signing
>>> + Validity
>>> + Not Before: Jul 18 23:41:27 2016 GMT
>>> + Not After : Jul 16 23:41:27 2026 GMT
>>> + Subject: CN = Canonical Ltd. Live Patch Signing
>>> + Subject Public Key Info:
>>> + Public Key Algorithm: rsaEncryption
>>> + RSA Public-Key: (4096 bit)
>>> + Modulus:
>>> + 00:bd:74:ee:72:b3:4a:ab:e6:31:e8:29:24:c2:bd:
>>> + 46:98:32:c0:39:ee:a3:fb:8a:ad:fe:ab:1a:5b:a3:
>>> + 2e:a1:80:db:79:61:9e:47:79:2c:75:57:a2:21:f0:
>>> + 93:f6:87:f2:9b:4b:9d:2f:b3:58:61:28:3c:41:70:
>>> + 13:16:a1:72:90:c9:d5:16:71:7c:e0:30:f9:28:5e:
>>> + 48:20:36:00:69:b7:59:9f:a3:ec:a8:eb:55:41:9f:
>>> + 38:1e:22:4a:57:20:f4:83:59:49:c5:00:93:d3:33:
>>> + 02:92:d1:fc:f0:84:3b:4a:5b:8f:b6:73:9a:89:fa:
>>> + 30:1e:e6:2a:68:f2:91:ef:59:57:3d:dc:1c:52:6f:
>>> + 5e:e6:9b:b5:b8:7c:98:c9:13:d1:39:68:01:67:91:
>>> + e0:d3:67:72:16:0a:5e:16:83:45:31:4f:b5:2b:b3:
>>> + f6:40:86:89:3a:84:6e:6f:16:61:bc:70:84:be:5a:
>>> + 13:36:7b:82:ea:07:19:fc:18:c1:16:c6:32:0b:7d:
>>> + 2c:6b:c4:21:b9:38:6b:31:dc:d9:0c:ad:56:40:68:
>>> + 7c:e3:c6:64:8e:bf:1c:e0:72:3e:6c:db:d2:73:79:
>>> + da:d7:c5:2f:5d:04:7d:b0:07:1e:95:dd:2a:47:5e:
>>> + bf:3e:3a:c8:66:f6:67:0f:d4:2a:f1:e2:71:59:d2:
>>> + 6c:7b:a0:37:ac:e6:97:80:30:13:97:48:d5:74:fc:
>>> + 38:68:e4:57:cb:99:69:5a:84:27:ac:98:51:e4:64:
>>> + bd:91:62:e8:58:27:06:2a:b9:0b:b8:08:e5:e5:b4:
>>> + 51:a7:a2:10:df:4e:07:6c:a0:3b:96:f2:6e:df:75:
>>> + 8c:97:1e:64:a0:9a:86:9b:98:26:f9:d8:b7:de:5b:
>>> + 21:b7:af:89:01:a3:f7:98:6b:da:19:ba:86:ef:ef:
>>> + f1:ce:bb:2f:89:ed:c0:b6:1b:e5:5b:f8:90:11:9a:
>>> + 52:93:e9:be:f7:35:b9:08:cb:ba:c3:ed:2f:73:af:
>>> + cc:96:07:55:b5:de:f6:03:f6:f1:89:f9:21:40:76:
>>> + c1:69:f2:61:cc:9a:94:df:9c:ec:6a:65:38:be:d1:
>>> + 4e:2a:87:c7:2f:3e:53:ae:8b:9f:54:a1:09:59:64:
>>> + 25:aa:a9:d8:44:a9:a8:a0:71:e1:32:aa:4c:32:fd:
>>> + 44:28:cc:9c:6f:8e:db:81:7e:6f:fa:00:56:c5:e5:
>>> + 03:46:63:fb:8e:71:8d:e3:13:91:9f:ac:60:3e:64:
>>> + f3:df:25:34:09:fa:2d:96:9f:16:05:ea:93:f5:e6:
>>> + 00:08:27:32:7b:3c:bd:ee:70:24:6c:3b:55:e9:db:
>>> + f4:10:2d:20:06:b4:ca:e9:29:65:55:ad:f6:52:54:
>>> + 5f:e5:a3
>>> + Exponent: 65537 (0x10001)
>>> + X509v3 extensions:
>>> + X509v3 Basic Constraints: critical
>>> + CA:FALSE
>>> + X509v3 Key Usage:
>>> + Digital Signature
>>> + X509v3 Subject Key Identifier:
>>> + 14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
>>> + X509v3 Authority Key Identifier:
>>> + keyid:14:DF:34:D1:A8:7C:F3:76:25:AB:EC:03:9E:F2:BF:52:12:49:B9:69
>>> +
>>> + Signature Algorithm: sha512WithRSAEncryption
>>> + 30:e7:48:02:37:e9:28:cf:04:a2:4d:5c:fa:d8:4e:c9:76:c7:
>>> + 14:3f:bd:2c:51:3d:33:f0:1a:bc:49:f1:47:95:8f:69:d8:a9:
>>> + 54:14:44:6c:4d:9f:55:82:08:1e:c6:5b:d5:91:d9:bc:2e:b0:
>>> + af:d6:25:65:74:96:aa:36:de:ae:31:a8:11:f2:a4:2c:5a:e1:
>>> + 4f:73:f8:4a:c3:35:b0:76:96:71:f2:b5:7d:4b:75:ee:5d:bf:
>>> + 86:a5:ba:0b:a9:52:cb:ec:ab:e5:23:4b:f2:74:55:28:17:1e:
>>> + b3:ac:27:ad:45:13:6e:69:b3:5a:be:42:36:29:48:db:e7:5c:
>>> + 22:58:a0:90:82:2c:2a:21:2b:db:f4:64:b7:91:5d:1f:2c:48:
>>> + a4:1a:85:e3:86:a5:aa:19:cd:19:e8:a5:fb:a3:7b:94:77:48:
>>> + 25:a4:cf:a0:cf:71:82:5c:6f:71:22:7c:d6:97:a0:53:bb:ec:
>>> + 30:f6:cb:16:fb:7b:fd:16:94:7a:53:6e:bd:04:64:a2:01:10:
>>> + 9f:f0:5b:b5:a6:73:41:9d:5f:6f:45:73:0d:05:f7:30:6d:39:
>>> + 90:b6:7d:55:7d:4c:2f:ae:5f:38:56:2f:8b:df:f4:bf:12:06:
>>> + 93:6e:0d:02:23:bf:71:91:57:88:e8:bd:62:72:99:00:40:29:
>>> + 1e:c9:13:11:da:7e:8e:e1:d2:a5:0d:bf:f7:d6:ec:01:0d:89:
>>> + 41:cd:d5:dc:d2:f7:5f:33:0d:4c:2f:85:b7:85:b7:81:e4:17:
>>> + 29:f0:74:cf:0e:15:8c:1a:50:0b:08:63:1a:91:4f:e7:76:97:
>>> + f1:d4:3b:7e:72:d4:c5:45:58:0c:6a:e9:0d:f2:85:d8:91:1e:
>>> + 37:bd:78:e3:39:4d:2e:fd:85:31:c1:a6:3b:6a:cc:2c:53:72:
>>> + 1d:8e:7b:f0:e6:76:86:09:6f:1a:f3:e4:a1:e2:dd:76:5f:b0:
>>> + 8c:e2:2a:54:5d:c1:88:49:90:10:15:42:7d:05:24:53:8c:54:
>>> + ff:48:18:1a:36:e3:31:d3:54:32:78:0d:fe:f2:3d:aa:0d:37:
>>> + 15:84:b4:36:47:31:e8:85:6e:0b:58:38:ff:21:91:09:c9:a8:
>>> + 43:a3:ea:60:cb:7e:ed:f7:41:6f:4e:91:c1:fd:77:46:e7:d4:
>>> + e7:86:c0:1b:fd:50:6c:aa:be:00:b3:63:02:ff:4e:c7:a5:57:
>>> + 6e:29:64:e9:54:d5:30:63:38:5f:2d:5a:db:49:5f:14:14:22:
>>> + d2:81:1f:61:9e:ee:ee:16:66:d6:bc:bd:ac:1b:5c:fb:38:31:
>>> + 95:33:2e:84:6e:7a:de:ee:b9:fc:97:17:06:13:bf:70:1c:6e:
>>> + 76:ed:66:38:e2:70:08:00
>>> +-----BEGIN CERTIFICATE-----
>>> +MIIFODCCAyCgAwIBAgIJAMd+UWocJc1AMA0GCSqGSIb3DQEBDQUAMCwxKjAoBgNV
>>> +BAMMIUNhbm9uaWNhbCBMdGQuIExpdmUgUGF0Y2ggU2lnbmluZzAeFw0xNjA3MTgy
>>> +MzQxMjdaFw0yNjA3MTYyMzQxMjdaMCwxKjAoBgNVBAMMIUNhbm9uaWNhbCBMdGQu
>>> +IExpdmUgUGF0Y2ggU2lnbmluZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
>>> +ggIBAL107nKzSqvmMegpJMK9RpgywDnuo/uKrf6rGlujLqGA23lhnkd5LHVXoiHw
>>> +k/aH8ptLnS+zWGEoPEFwExahcpDJ1RZxfOAw+SheSCA2AGm3WZ+j7KjrVUGfOB4i
>>> +Slcg9INZScUAk9MzApLR/PCEO0pbj7Zzmon6MB7mKmjyke9ZVz3cHFJvXuabtbh8
>>> +mMkT0TloAWeR4NNnchYKXhaDRTFPtSuz9kCGiTqEbm8WYbxwhL5aEzZ7guoHGfwY
>>> +wRbGMgt9LGvEIbk4azHc2QytVkBofOPGZI6/HOByPmzb0nN52tfFL10EfbAHHpXd
>>> +Kkdevz46yGb2Zw/UKvHicVnSbHugN6zml4AwE5dI1XT8OGjkV8uZaVqEJ6yYUeRk
>>> +vZFi6FgnBiq5C7gI5eW0UaeiEN9OB2ygO5bybt91jJceZKCahpuYJvnYt95bIbev
>>> +iQGj95hr2hm6hu/v8c67L4ntwLYb5Vv4kBGaUpPpvvc1uQjLusPtL3OvzJYHVbXe
>>> +9gP28Yn5IUB2wWnyYcyalN+c7GplOL7RTiqHxy8+U66Ln1ShCVlkJaqp2ESpqKBx
>>> +4TKqTDL9RCjMnG+O24F+b/oAVsXlA0Zj+45xjeMTkZ+sYD5k898lNAn6LZafFgXq
>>> +k/XmAAgnMns8ve5wJGw7Venb9BAtIAa0yukpZVWt9lJUX+WjAgMBAAGjXTBbMAwG
>>> +A1UdEwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBQU3zTRqHzzdiWr7AOe
>>> +8r9SEkm5aTAfBgNVHSMEGDAWgBQU3zTRqHzzdiWr7AOe8r9SEkm5aTANBgkqhkiG
>>> +9w0BAQ0FAAOCAgEAMOdIAjfpKM8Eok1c+thOyXbHFD+9LFE9M/AavEnxR5WPadip
>>> +VBREbE2fVYIIHsZb1ZHZvC6wr9YlZXSWqjberjGoEfKkLFrhT3P4SsM1sHaWcfK1
>>> +fUt17l2/hqW6C6lSy+yr5SNL8nRVKBces6wnrUUTbmmzWr5CNilI2+dcIligkIIs
>>> +KiEr2/Rkt5FdHyxIpBqF44alqhnNGeil+6N7lHdIJaTPoM9xglxvcSJ81pegU7vs
>>> +MPbLFvt7/RaUelNuvQRkogEQn/BbtaZzQZ1fb0VzDQX3MG05kLZ9VX1ML65fOFYv
>>> +i9/0vxIGk24NAiO/cZFXiOi9YnKZAEApHskTEdp+juHSpQ2/99bsAQ2JQc3V3NL3
>>> +XzMNTC+Ft4W3geQXKfB0zw4VjBpQCwhjGpFP53aX8dQ7fnLUxUVYDGrpDfKF2JEe
>>> +N7144zlNLv2FMcGmO2rMLFNyHY578OZ2hglvGvPkoeLddl+wjOIqVF3BiEmQEBVC
>>> +fQUkU4xU/0gYGjbjMdNUMngN/vI9qg03FYS0Nkcx6IVuC1g4/yGRCcmoQ6PqYMt+
>>> +7fdBb06Rwf13RufU54bAG/1QbKq+ALNjAv9Ox6VXbilk6VTVMGM4Xy1a20lfFBQi
>>> +0oEfYZ7u7hZm1ry9rBtc+zgxlTMuhG563u65/JcXBhO/cBxudu1mOOJwCAA=
>>> +-----END CERTIFICATE-----
>>>
>>
>> --
>> -----------
>> Tim Gardner
>> Canonical, Inc
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list