Message ID | 20200207204127.10016-1-tyhicks@canonical.com |
---|---|
Headers | show |
Series | Root can lift kernel lockdown via USB/IP (LP: #1861238) | expand |
On Fri, Feb 07, 2020 at 08:41:26PM +0000, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > > -- > 2.17.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Super-ack for all four flavors of this patch. Acked-by: Sultan Alsawaf <sultan.alsawaf@canonical.com>
On 07.02.20 21:41, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
On 07.02.20 21:41, Tyler Hicks wrote: > BugLink: https://bugs.launchpad.net/bugs/1861238 > > I've tested this patch by building a test kernel, generating and > enrolling a Machine Owner Key, signing the test kernel and modules, and > rebooting into the test kernel. Then I followed the [Test Case] > documented below and then I verified that pressing alt-sysrq-x on my > physical keyboard also resulted in the sysrq help message. > > [Impact] > > It's possible to turn off kernel lockdown by emulating a USB keyboard > via USB/IP and sending an Alt+SysRq+X key combination through it. > > Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and > CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules > provided in the linux-extra-modules-* package. > > See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip > > [Test Case] > > $ git clone https://github.com/xairy/unlockdown.git > $ cd unlockdown/01-usbip/ > $ sudo ./run.sh > $ dmesg > > # Ensure there are no log entries talking about lifting lockdown: > sysrq: SysRq : Disabling Secure Boot restrictions > Lifting lockdown > > # You should see a SysRq help log entry because the Alt+SysRq+X > # combination should be disabled > sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) > terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) > thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) > show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) > show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) > force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) > > [Regression Potential] > > Some users may see a usability regression due to the Lockdown lift sysrq > combination being removed. Some users are known to disable lockdown, > using the sysrq combination, in order to perform some "dangerous" > operation such as writing to an MSR. It is believed that this is a small > number of users but it is impossible to know for sure. > > Users that rely on this functionality may need to permanently disable > secure boot using 'mokutil --disable-validation'. > > Tyler > > Tyler Hicks (1): > Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift > kernel lockdown" > > arch/x86/include/asm/setup.h | 2 - > .../config/amd64/config.common.amd64 | 1 - > debian.master/config/annotations | 2 - > .../config/arm64/config.common.arm64 | 1 - > .../config/armhf/config.common.armhf | 1 - > debian.master/config/i386/config.common.i386 | 1 - > drivers/input/misc/uinput.c | 1 - > drivers/tty/sysrq.c | 27 ++++------- > include/linux/input.h | 5 -- > include/linux/sysrq.h | 8 +--- > kernel/debug/kdb/kdb_main.c | 2 +- > security/Kconfig | 7 --- > security/lock_down.c | 47 ------------------- > 13 files changed, 12 insertions(+), 93 deletions(-) > Applied to bionic/linux. Thanks, Kleber