| Message ID | 20200207204127.10016-1-tyhicks@canonical.com |
|---|---|
| Headers | show |
| Series | Root can lift kernel lockdown via USB/IP (LP: #1861238) | expand |
On Fri, Feb 07, 2020 at 08:41:26PM +0000, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Super-ack for all four flavors of this patch. Acked-by: Sultan Alsawaf <sultan.alsawaf@canonical.com>
On 07.02.20 21:41, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
On 07.02.20 21:41, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > Applied to bionic/linux. Thanks, Kleber
BugLink: https://bugs.launchpad.net/bugs/1861238 I've tested this patch by building a test kernel, generating and enrolling a Machine Owner Key, signing the test kernel and modules, and rebooting into the test kernel. Then I followed the [Test Case] documented below and then I verified that pressing alt-sysrq-x on my physical keyboard also resulted in the sysrq help message. [Impact] It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it. Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package. See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip [Test Case] $ git clone https://github.com/xairy/unlockdown.git $ cd unlockdown/01-usbip/ $ sudo ./run.sh $ dmesg # Ensure there are no log entries talking about lifting lockdown: sysrq: SysRq : Disabling Secure Boot restrictions Lifting lockdown # You should see a SysRq help log entry because the Alt+SysRq+X # combination should be disabled sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) [Regression Potential] Some users may see a usability regression due to the Lockdown lift sysrq combination being removed. Some users are known to disable lockdown, using the sysrq combination, in order to perform some "dangerous" operation such as writing to an MSR. It is believed that this is a small number of users but it is impossible to know for sure. Users that rely on this functionality may need to permanently disable secure boot using 'mokutil --disable-validation'. Tyler Tyler Hicks (1): Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel lockdown" arch/x86/include/asm/setup.h | 2 - .../config/amd64/config.common.amd64 | 1 - debian.master/config/annotations | 2 - .../config/arm64/config.common.arm64 | 1 - .../config/armhf/config.common.armhf | 1 - debian.master/config/i386/config.common.i386 | 1 - drivers/input/misc/uinput.c | 1 - drivers/tty/sysrq.c | 27 ++++------- include/linux/input.h | 5 -- include/linux/sysrq.h | 8 +--- kernel/debug/kdb/kdb_main.c | 2 +- security/Kconfig | 7 --- security/lock_down.c | 47 ------------------- 13 files changed, 12 insertions(+), 93 deletions(-)