Don't trust Secure Boot key any longer

2026-01-16 23:12:23 +00:00 · 2023-10-04 22:24:56 +02:00 · 2023-10-04 22:24:56 +02:00 · 6601ee5666
commit 6601ee5666
parent e56ae6c64d
6 changed files with 4 additions and 93 deletions
--- a/debian/bin/gencontrol.py
+++ b/debian/bin/gencontrol.py
@ -521,9 +521,6 @@ class Gencontrol(Base):
        # Add "salt" to fix #872263
        makeflags['KCONFIG_OPTIONS'] += \
            ' -o "BUILD_SALT=\\"%(abiname)s%(localversion)s\\""' % vars
-        if config_entry_build.get('trusted-certs'):
-            makeflags['KCONFIG_OPTIONS'] += \
-                f' -o "SYSTEM_TRUSTED_KEYS=\\"${{CURDIR}}/{config_entry_build["trusted-certs"]}\\""'

        merged_config = ('debian/build/config.%s_%s_%s' %
                         (arch, featureset, flavour))
--- a/debian/bin/gencontrol_signed.py
+++ b/debian/bin/gencontrol_signed.py
@ -1,11 +1,9 @@
 #!/usr/bin/python3

-import hashlib
 import json
 import os.path
 import pathlib
 import re
-import ssl
 import subprocess
 import sys
 import tempfile
@ -167,9 +165,7 @@ class Gencontrol(Base):
            kconfig = f.readlines()
        assert 'CONFIG_EFI_STUB=y\n' in kconfig
        assert 'CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y\n' in kconfig
-        cert_file_name = config_build['trusted-certs']
-        self.image_packages.append((image_suffix, image_package_name,
-                                    cert_file_name))
+        self.image_packages.append((image_suffix, image_package_name))

        self.packages['source']['Build-Depends'].append(
            image_package_name
@ -283,49 +279,14 @@ linux-signed@source_suffix@-@arch@ (@signedsourceversion@) @distribution@; urgen
                    f.write(d)

    def write_files_json(self):
-        # Can't raise from a lambda function :-(
-        def raise_func(e):
-            raise e
-
-        # Some functions in openssl work with multiple concatenated
-        # PEM-format certificates, but others do not.
-        def get_certs(file_name):
-            certs = []
-            BEGIN, MIDDLE = 0, 1
-            state = BEGIN
-            with open(file_name) as f:
-                for line in f:
-                    if line == '-----BEGIN CERTIFICATE-----\n':
-                        assert state == BEGIN
-                        certs.append([])
-                        state = MIDDLE
-                    elif line == '-----END CERTIFICATE-----\n':
-                        assert state == MIDDLE
-                        state = BEGIN
-                    else:
-                        assert line[0] != '-'
-                        assert state == MIDDLE
-                    certs[-1].append(line)
-            assert state == BEGIN
-            return [''.join(cert_lines) for cert_lines in certs]
-
-        def get_cert_fingerprint(cert, algo):
-            hasher = hashlib.new(algo)
-            hasher.update(ssl.PEM_cert_to_DER_cert(cert))
-            return hasher.hexdigest()
-
        all_files = {'packages': {}}

-        for image_suffix, image_package_name, cert_file_name in \
-                self.image_packages:
+        for image_suffix, image_package_name in self.image_packages:
            package_files = []
            package_files.append({'sig_type': 'efi',
                                  'file': 'boot/vmlinuz-%s' % image_suffix})
-            package_certs = [get_cert_fingerprint(cert, 'sha256')
-                             for cert in get_certs(cert_file_name)]
-            assert len(package_certs) >= 1
            all_files['packages'][image_package_name] = {
-                'trusted_certs': package_certs,
+                'trusted_certs': [],
                'files': package_files
            }

--- a/debian/certs/debian-uefi-certs.pem
+++ b/debian/certs/debian-uefi-certs.pem
@ -1,42 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIDnjCCAoagAwIBAgIRAO1UodWvh0iUjZ+JMu6cfDQwDQYJKoZIhvcNAQELBQAw
-IDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MDkx
-OFoXDTQ2MDgwOTE4MDkxOFowIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290
-IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnZXUi5vaEKwuyoI3
-waTLSsMbQpPCeinTbt1kr4Cv6maiG2GcgwzFa7k1Jf/F++gpQ97OSz3GEk2x7yZD
-lWjNBBH+wiSb3hTYhlHoOEO9sZoV5Qhr+FRQi7NLX/wU5DVQfAux4gOEqDZI5IDo
-6p/6v8UYe17OHL4sgHhJNRXAIc/vZtWKlggrZi9IF7Hn7IKPB+bK4F9xJDlQCo7R
-cihQpZ0h9ONhugkDZsjfTiY2CxUPYx8rr6vEKKJWZIWNplVBrjyIld3Qbdkp29jE
-aLX89FeJaxTb4O/uQA1iH+pY1KPYugOmly7FaxOkkXemta0jp+sKSRRGfHbpnjK0
-ia9XeQIDAQABo4HSMIHPMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEFBQcwAoYlaHR0
-cHM6Ly9kc2EuZGViaWFuLm9yZy9zZWN1cmUtYm9vdC1jYTAfBgNVHSMEGDAWgBRs
-zs5+TGwNH2FJ890n38xcu0GeoTAUBglghkgBhvhCAQEBAf8EBAMCAPcwEwYDVR0l
-BAwwCgYIKwYBBQUHAwMwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8w
-HQYDVR0OBBYEFGzOzn5MbA0fYUnz3SffzFy7QZ6hMA0GCSqGSIb3DQEBCwUAA4IB
-AQB3lj5Hyc4Jz4uJzlntJg4mC7mtqSu9oeuIeQL/Md7+9WoH72ETEXAev5xOZmzh
-YhKXAVdlR91Kxvf03qjxE2LMg1esPKaRFa9VJnJpLhTN3U2z0WAkLTJPGWwRXvKj
-8qFfYg8wrq3xSGZkfTZEDQY0PS6vjp3DrcKR2Dfg7npfgjtnjgCKxKTfNRbCcitM
-UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
-7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
-305gdrAGewiwbuNknyFWrTkP
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDQzCCAiugAwIBAgIUMqAof4QaA2+jk8HgZcQ65rJCJkMwDQYJKoZIhvcNAQEL
-BQAwIDEeMBwGA1UEAxMVRGViaWFuIFNlY3VyZSBCb290IENBMB4XDTIyMDgxODE3
-MzIzN1oXDTMyMDgxNTE3MzIzN1owMTEvMC0GA1UEAwwmRGViaWFuIFNlY3VyZSBC
-b290IFNpZ25lciAyMDIyIC0gbGludXgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCv6LgqfsYKPyGcgP12nHWFbtEJDUdixV8n+gOWMgLANs9+NjexyJ4o
-V3iG3qTDqm1VGIdQfnf0cEmh3bS1tuoPDZcGU9HaDKq8oPjYyJd9G/aO6sGHKCc3
-aIAvLnPkfH7EfiaxshFwthOeH3yt/K54ICnT6aCWQjDsJz2TCr3s+1izRuv6/VJ8
-/aNPI+RySpeUVtdKT1CQjb4N8HphWS7ZkDbWwVW0dHsZHPXhq0Gd729ctKo0/003
-Is7cw3TSSUHKCatRjVIImTwUiGNqlQe386dIBMjFzTddh19spvU0ootdCkiGShId
-Hz6YoDscyb+SQsmIaiXo1nwd2SABFlRLAgMBAAGjZDBiMAsGA1UdDwQEAwIHgDAT
-BgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUFAESScJnXqjlFIVCICAFgQWE
-sl8wHwYDVR0jBBgwFoAUbM7OfkxsDR9hSfPdJ9/MXLtBnqEwDQYJKoZIhvcNAQEL
-BQADggEBAJg1omf+js6HaUsZvSBIwEu9qHyEjMcjo0yvc22dKi5Kzxclo+Vmr99/
-rpXjsXMlskPeWIQS7iUOvS/oupmqQq9+0rHMXu/lTP2ITh9IjHwEx2zWEPIOlmYJ
-wCYpta7YeX5YExb32f9wJYIJZidHy9p5I0jOIgAInv8J4NZUG14LPxI6I4hfYI1p
-mruMdxPS0hllzPbs6rZ2LwWVtNjuPhfmMt4eMKOl4ThXWhoiwvkTOJpDkaCPgnzT
-h507wBcDBquUKtDwGnQcQdPWfxMyA8b2v05PXMQS2cH/xJ5th8M+IU4DUfigYGYN
-ce00ryZ2rpZIqHs1H1Xc5xJpusY1Q+w=
-----END CERTIFICATE-----
--- a/debian/changelog
+++ b/debian/changelog
@ -10,6 +10,7 @@ linux (6.5.3-2) UNRELEASED; urgency=medium
  * Sign modules using an ephemeral key: (closes: #1040901)
    - Set MODULE_SIG_ALL to sign all modules.
    - Not longer request Secure Boot signing for modules.
+    - Don't trust Secure Boot key any longer.

  [ Emanuele Rocca ]
  * [arm64] Add qrtr to kernel-image udeb, needed by Lenovo Thinkpad X13s.
--- a/debian/config/defines
+++ b/debian/config/defines
@ -152,7 +152,6 @@ featuresets:
 [build]
 # Disable code signing by default; this can be overridden per-architecture
 signed-code: false
-trusted-certs: debian/certs/debian-uefi-certs.pem

 [featureset-rt_base]
 enabled: true
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@ -82,11 +82,6 @@ extract-source:
    - sed -i -e '1 s/) [^;]*/+salsaci) UNRELEASED/' debian/changelog
    - version=${version}+salsaci

-    # Change trusted signing certificate to the one we will use
-    - |
-      sed -i -e 's|^trusted-certs:.*|trusted-certs: debian/certs/ci-test-sign/ci-test-sign.pem|' \
-        debian/config/defines
-
    # Run gencontrol.py
    # - create temporary log
    - log="$(mktemp)"