Univention Bugzilla – Bug 45961
Switch to Debian Kernel
Last modified: 2018-03-14 14:38:54 CET
UCS should switch to the Debian Kernel.
I've downloaded the kernel packages manually and copied the files to our apt repository: http://security.debian.org/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-4-686-pae_4.9.65-3+deb9u1_i386.deb http://security.debian.org/debian-security/pool/updates/main/l/linux/linux-image-4.9.0-4-amd64_4.9.65-3+deb9u1_amd64.deb And the source packages: http://security.debian.org/debian-security/pool/updates/main/l/linux/linux_4.9.65-3+deb9u1.dsc http://security.debian.org/debian-security/pool/updates/main/l/linux/linux_4.9.65.orig.tar.xz http://security.debian.org/debian-security/pool/updates/main/l/linux/linux_4.9.65-3+deb9u1.debian.tar.xz And the debian installer udeb modules: http://security.debian.org/debian-security/pool/updates/main/l/linux/ Please adjust the debmirror that these files are copied automatically. I've switched the dependency of univention-kernel-image to the latest unsigned Debian kernel: https://git.knut.univention.de/univention/ucs/commit/7d6817a3df770be2f3d508d9d18d08db8a02fb36 https://git.knut.univention.de/univention/ucs/commit/4208b93e07fa6129ff7958db4496009d283fc67d The UEFI / signed part is still missing and needs to be implemented. It looks like the MODULE signature is disabled by default in Debian. Anyway, maybe we should only build the signed kernel manually. I've changed the UCS 4.3 Jenkins DVD build job so that the kernel version parameter is given: --kernelversion=4.9.0-4-amd64 This should be done in a better way.
disabled tests/00_checks/70_check_kernel_module_signing_settings, revert if bug is fixed
zgrep -e CONFIG_MODULE_SIG /boot/config-4.9.0-5-amd64 # CONFIG_MODULE_SIG is not set SO currently in Debian signing is disabled. Even if we sign the modules afterwards manually using "scripts/sign-file", the kernel would not enforce the verification. Reading <https://docs-old.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-kernel-module-authentication.html> shere should be a way to load the UEFI-SB keys as additional keys into the Linux Kernel Keyring. There also is "CONFIG_SYSTEM_EXTRA_CERTIFICATE" to reseve space for adding keys without re-compilation, which is not enabled in Debian (as CONFIG_MODULE_SIG is disabled), but neither in our build. # CONFIG_SECONDARY_TRUSTED_KEYRING is not set
Created attachment 9384 [details] Grub kernel selection After updating a UCS 4.2 system to UCS 4.3 and rebooting the new Kernel is not selected, probably due to sort order.
I removed univention-kernel-images-signed from ucs_4.3-0 as it is useless and still depends on the Linux kernel from ucs_4.2-3-errata4.2-3
(In reply to Philipp Hahn from comment #3) > Reading > <https://docs-old.fedoraproject.org/en-US/Fedora/23/html/ > System_Administrators_Guide/sect-kernel-module-authentication.html> shere > should be a way to load the UEFI-SB keys as additional keys into the Linux > Kernel Keyring. This required a RedHad specific Linux kernel patch, which is not included upstream: <https://lists.fedoraproject.org/pipermail/scm-commits/2012-October/890845.html> from that: > Secure boot adds certain policy requirements, including that root must not > be able to do anything that could cause the kernel to execute arbitrary code. AFAIK we need to enforce verifying module signatures.
(In reply to Arvid Requate from comment #4) > After updating a UCS 4.2 system to UCS 4.3 and rebooting the new Kernel is > not selected, probably due to sort order. Moved to Bug #46342
9c34289138 Bug #45961 kernel: Copyright 2018 74611a2cc8 Bug #45961 kernel: Update firmware dependencies Package: univention-kernel-image Version: 11.0.1-3A~4.3.0.201802201402 Branch: ucs_4.3-0
c14c876958 Bug #45961 kernel: Down-prio ipw2x00 Package: univention-kernel-image Version: 11.0.1-4A~4.3.0.201802201712 Branch: ucs_4.3-0
*** Bug 46356 has been marked as a duplicate of this bug. ***
28ee855951 Bug #45961 kernel: Sign Debian Linux kernel 4.9.0-6 Package: univention-kernel-image-signed Version: 4.0.0-2A~4.3.0.201802281721 Branch: ucs_4.3-0 f64ad3117d Bug #45961 kernel: Use signed Debian Linux kernel Package: univention-kernel-image Version: 11.0.1-5A~4.3.0.201802281728 Branch: ucs_4.3-0 c9717c4997 Bug #45961: Linux kernel changelog
Newly installed system: OK System upgrade: OK Updated i386 system: tbd UEFI secure boot: Failed, see screenshot Changelog: OK
Created attachment 9429 [details] Failed UEFI Secure Screenshot
(In reply to Stefan Gohmann from comment #14) > UEFI secure boot: Failed, see screenshot I've burned the latest DVD and tried the installation on our UEFI test hardware.
(In reply to Stefan Gohmann from comment #14) > Updated i386 system: tbd Updated i386 system: OK
(In reply to Stefan Gohmann from comment #16) > (In reply to Stefan Gohmann from comment #14) > > UEFI secure boot: Failed, see screenshot > > I've burned the latest DVD and tried the installation on our UEFI test > hardware. FIXED: DVD was using the old D-I, which still used the old unsigned kernel. FIXED: the signed kernel was not on the DVD: [4.3-0] ecdc49a0e6 Bug #45961 kernel: Always install signed Debian Linux kernel on amd64 [4.3-0] 5a24fa1dd5 Bug #45961 kernel: Depend directly on linux-image Package: univention-kernel-image Version: 11.0.1-6A~4.3.0.201803021152 Version: 11.0.1-49A~4.2.0.201803021300 Branch: ucs_4.3-0 ucs_4.3-0-20180302-135545-dvd-amd64.iso OK: amd64 @ kvm OK: amd64 @ UEFI-SecureBoot HW OK: uname -r # 4.9.0-6-amd64 OK: cat /sys/kernel/security/securelevel # 1 OK: grep . /sys/devices/system/cpu/vulnerabilities/
UEFI Secure boot installation was successful too.
UCS 4.3 has been released: https://docs.software-univention.de/release-notes-4.3-0-en.html https://docs.software-univention.de/release-notes-4.3-0-de.html If this error occurs again, please use "Clone This Bug".