Skip to content

kernel: Update Mariner cert in kernel keyring #1968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 21, 2022
Merged

kernel: Update Mariner cert in kernel keyring #1968

merged 4 commits into from
Jan 21, 2022

Conversation

@christopherco
Copy link
Contributor

@christopherco christopherco commented Jan 21, 2022
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/tools/cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Our signing key has been renewed so this change updates the trusted module key in the kernel keyring to the new certificate. This will allow kernel modules signed with the new key to be loaded on Mariner starting with this kernel release.

Change Log
  • Update the Mariner certificate built which is compiled in at build time
  • Bump kernel version numbers
Does this affect the toolchain?

YES

Associated issues
Links to CVEs
Test Methodology

Local build

@christopherco christopherco marked this pull request as ready for review January 21, 2022 18:47
@christopherco christopherco requested review from a team and Camelron January 21, 2022 18:47
rlmenge
rlmenge approved these changes Jan 21, 2022
View reviewed changes
Copy link
Contributor

@rlmenge rlmenge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit: 🚢

@christopherco christopherco merged commit 05784c9 into microsoft:1.0-dev Jan 21, 2022
adithyaj
adithyaj approved these changes Jan 21, 2022
View reviewed changes
Copy link
Contributor

@adithyaj adithyaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved, there were spec linting issues though so just need to fix that

@christopherco
Copy link
Contributor Author

christopherco commented Jan 22, 2022

Approved, there were spec linting issues though so just need to fix that

We typically keep the %define and %global at the top of the file, so we need to update the linter on that. There were a couple other linter issues that I will resolve in an upcoming PR.

christopherco added a commit to christopherco/CBL-Mariner that referenced this pull request Jan 24, 2022
@christopherco
kernel: Update Mariner cert in kernel keyring (microsoft#1968)
0a0077f 
* kernel: Update mariner cert in kernel keyring

* kernel-hyperv: Update mariner cert in kernel keyring

* kernel-headers: Bump to match kernel release number

* kernel-signed: Bump to match kernel release

Signed-off-by: Chris Co <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rlmenge rlmenge rlmenge approved these changes

@jslobodzian jslobodzian jslobodzian approved these changes

@Camelron Camelron Awaiting requested review from Camelron

+1 more reviewer

@adithyaj adithyaj adithyaj approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@christopherco @adithyaj @rlmenge @jslobodzian