From patchwork Fri Feb 7 20:40:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tyler Hicks X-Patchwork-Id: 1235131 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 48DnHn0Lvyz9sRY; Sat, 8 Feb 2020 07:40:37 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1j0AQU-0005BV-4i; Fri, 07 Feb 2020 20:40:34 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j0AQS-0005BM-W6 for kernel-team@lists.ubuntu.com; Fri, 07 Feb 2020 20:40:32 +0000 Received: from 2.general.tyhicks.us.vpn ([10.172.64.53] helo=sec.work.tihix.com) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1j0AQS-0008Qa-Hy; Fri, 07 Feb 2020 20:40:32 +0000 From: Tyler Hicks To: kernel-team@lists.ubuntu.com Subject: [PATCH 0/1][SRU][E] Root can lift kernel lockdown via USB/IP (LP: #1861238) Date: Fri, 7 Feb 2020 20:40:04 +0000 Message-Id: <20200207204005.9849-1-tyhicks@canonical.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1861238 I've tested this patch by building a test kernel, generating and enrolling a Machine Owner Key, signing the test kernel and modules, and rebooting into the test kernel. Then I followed the [Test Case] documented below and then I verified that pressing alt-sysrq-x on my physical keyboard also resulted in the sysrq help message. [Impact] It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it. Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package. See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip [Test Case] $ git clone https://github.com/xairy/unlockdown.git $ cd unlockdown/01-usbip/ $ sudo ./run.sh $ dmesg # Ensure there are no log entries talking about lifting lockdown: sysrq: SysRq : Disabling Secure Boot restrictions Lifting lockdown # You should see a SysRq help log entry because the Alt+SysRq+X # combination should be disabled sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) [Regression Potential] Some users may see a usability regression due to the Lockdown lift sysrq combination being removed. Some users are known to disable lockdown, using the sysrq combination, in order to perform some "dangerous" operation such as writing to an MSR. It is believed that this is a small number of users but it is impossible to know for sure. Users that rely on this functionality may need to permanently disable secure boot using 'mokutil --disable-validation'. Tyler Tyler Hicks (1): Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel lockdown" arch/x86/include/asm/setup.h | 2 - debian.master/config/annotations | 1 - debian.master/config/config.common.ubuntu | 1 - drivers/input/misc/uinput.c | 1 - drivers/tty/sysrq.c | 27 +++++-------- include/linux/input.h | 5 --- include/linux/sysrq.h | 8 +--- kernel/debug/kdb/kdb_main.c | 2 +- security/Kconfig | 10 ----- security/lock_down.c | 47 ----------------------- 10 files changed, 12 insertions(+), 92 deletions(-) Acked-by: Kleber Sacilotto de Souza