Message ID | 20200207204005.9849-1-tyhicks@canonical.com |
---|---|
Headers | show |
Series | Root can lift kernel lockdown via USB/IP (LP: #1861238) | expand |
On 07.02.20 21:40, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > debian.master/config/annotations | 1 - > debian.master/config/config.common.ubuntu | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 +++++-------- > include/linux/input.h | 5 --- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 10 ----- > security/lock_down.c | 47 ----------------------- > 10 files changed, 12 insertions(+), 92 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
On 07.02.20 21:40, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > debian.master/config/annotations | 1 - > debian.master/config/config.common.ubuntu | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 +++++-------- > include/linux/input.h | 5 --- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 10 ----- > security/lock_down.c | 47 ----------------------- > 10 files changed, 12 insertions(+), 92 deletions(-) > Applied to eoan/linux, with Sultan's ACK sent on the other thread. Thanks, Kleber