[PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Tyler Hicks-2
BugLink: https://bugs.launchpad.net/bugs/1861238

I've tested this patch by building a test kernel, generating and
enrolling a Machine Owner Key, signing the test kernel and modules, and
rebooting into the test kernel. Then I followed the [Test Case]
documented below and then I verified that pressing alt-sysrq-x on my
physical keyboard also resulted in the sysrq help message.

[Impact]

It's possible to turn off kernel lockdown by emulating a USB keyboard
via USB/IP and sending an Alt+SysRq+X key combination through it.

Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
provided in the linux-extra-modules-* package.

See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip

[Test Case]

$ git clone https://github.com/xairy/unlockdown.git
$ cd unlockdown/01-usbip/
$ sudo ./run.sh
$ dmesg

# Ensure there are no log entries talking about lifting lockdown:
sysrq: SysRq : Disabling Secure Boot restrictions
Lifting lockdown

# You should see a SysRq help log entry because the Alt+SysRq+X
# combination should be disabled
sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)

[Regression Potential]

Some users may see a usability regression due to the Lockdown lift sysrq
combination being removed. Some users are known to disable lockdown,
using the sysrq combination, in order to perform some "dangerous"
operation such as writing to an MSR. It is believed that this is a small
number of users but it is impossible to know for sure.

Users that rely on this functionality may need to permanently disable
secure boot using 'mokutil --disable-validation'.

Tyler

Tyler Hicks (1):
  Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
    kernel lockdown"

 arch/x86/include/asm/setup.h                  |  2 -
 .../config/amd64/config.common.amd64          |  1 -
 debian.master/config/annotations              |  2 -
 .../config/arm64/config.common.arm64          |  1 -
 .../config/armhf/config.common.armhf          |  1 -
 debian.master/config/i386/config.common.i386  |  1 -
 drivers/input/misc/uinput.c                   |  1 -
 drivers/tty/sysrq.c                           | 27 ++++-------
 include/linux/input.h                         |  5 --
 include/linux/sysrq.h                         |  8 +---
 kernel/debug/kdb/kdb_main.c                   |  2 +-
 security/Kconfig                              |  7 ---
 security/lock_down.c                          | 47 -------------------
 13 files changed, 12 insertions(+), 93 deletions(-)

--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[PATCH 1/1] Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel lockdown"

Tyler Hicks-2
BugLink: https://bugs.launchpad.net/bugs/1861238

This reverts commit 531c25a35b2a93e025e72e04f16b0f3620ace581.

The original intent behind Lockdown's SysRq support was that the SysRq
command to lift Lockdown would only be honored if the command was
physically entered on a keyboard. Attempts to synthetically generate the
SysRq command, by a software program, were to be ignored since software,
even running as root, must not have the authorization to lift Lockdown.

Unfortunately, attempts to detect a synthetic SysRq command can be
thwarted by a privileged process that is able to set up a USB/IP
connection as the USB/IP connection could be used to lift Lockdown.

Remove the ability to lift Lockdown using SysRq.

Signed-off-by: Tyler Hicks <[hidden email]>
---
 arch/x86/include/asm/setup.h                  |  2 -
 .../config/amd64/config.common.amd64          |  1 -
 debian.master/config/annotations              |  2 -
 .../config/arm64/config.common.arm64          |  1 -
 .../config/armhf/config.common.armhf          |  1 -
 debian.master/config/i386/config.common.i386  |  1 -
 drivers/input/misc/uinput.c                   |  1 -
 drivers/tty/sysrq.c                           | 27 ++++-------
 include/linux/input.h                         |  5 --
 include/linux/sysrq.h                         |  8 +---
 kernel/debug/kdb/kdb_main.c                   |  2 +-
 security/Kconfig                              |  7 ---
 security/lock_down.c                          | 47 -------------------
 13 files changed, 12 insertions(+), 93 deletions(-)

diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h
index 3108e297d87d..ae13bc974416 100644
--- a/arch/x86/include/asm/setup.h
+++ b/arch/x86/include/asm/setup.h
@@ -9,8 +9,6 @@
 #include <linux/linkage.h>
 #include <asm/page_types.h>
 
-#define LOCKDOWN_LIFT_KEY 'x'
-
 #ifdef __i386__
 
 #include <linux/pfn.h>
diff --git a/debian.master/config/amd64/config.common.amd64 b/debian.master/config/amd64/config.common.amd64
index 7cd187de7d8a..ed3d99b58abe 100644
--- a/debian.master/config/amd64/config.common.amd64
+++ b/debian.master/config/amd64/config.common.amd64
@@ -12,7 +12,6 @@ CONFIG_ADFS_FS=m
 CONFIG_AFFS_FS=m
 CONFIG_AIX_PARTITION=y
 CONFIG_ALIM7101_WDT=m
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ=y
 CONFIG_ALTERA_TSE=m
 CONFIG_AMD_XGBE_HAVE_ECC=y
 CONFIG_AMIGA_PARTITION=y
diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 7eee1d1588af..d4ba76f3a350 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -11518,11 +11518,9 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN               policy<{'amd64': 'n', 'arm64': '
 CONFIG_FORTIFY_SOURCE                           policy<{'amd64': 'y', 'arm64': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
 CONFIG_STATIC_USERMODEHELPER                    policy<{'amd64': 'n', 'arm64': 'n', 'armhf': 'n', 'i386': 'n', 'ppc64el': 'n', 's390x': 'n'}>
 CONFIG_LOCK_DOWN_KERNEL                         policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'n', 's390x': 'n'}>
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             policy<{'amd64': 'y', 'arm64': 'n', 'armhf': 'n', 'i386': 'y'}>
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y'}>
 #
 CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT             mark<ENFORCED>
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ             mark<ENFORCED>
 CONFIG_LOCK_DOWN_KERNEL                         mark<ENFORCED> flag<REVIEW>
 
 # Menu: Security options >> Default security module
diff --git a/debian.master/config/arm64/config.common.arm64 b/debian.master/config/arm64/config.common.arm64
index e9ab42f9c080..ff094a2408a4 100644
--- a/debian.master/config/arm64/config.common.arm64
+++ b/debian.master/config/arm64/config.common.arm64
@@ -12,7 +12,6 @@ CONFIG_ADFS_FS=m
 CONFIG_AFFS_FS=m
 CONFIG_AIX_PARTITION=y
 CONFIG_ALIM7101_WDT=m
-# CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ is not set
 CONFIG_ALTERA_TSE=m
 # CONFIG_AMD_XGBE_HAVE_ECC is not set
 CONFIG_AMIGA_PARTITION=y
diff --git a/debian.master/config/armhf/config.common.armhf b/debian.master/config/armhf/config.common.armhf
index 5c6fb4a69631..83e558265e83 100644
--- a/debian.master/config/armhf/config.common.armhf
+++ b/debian.master/config/armhf/config.common.armhf
@@ -8,7 +8,6 @@ CONFIG_ADFS_FS=m
 CONFIG_AFFS_FS=m
 CONFIG_AIX_PARTITION=y
 CONFIG_ALIM7101_WDT=m
-# CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ is not set
 CONFIG_ALTERA_TSE=m
 # CONFIG_AMD_XGBE_HAVE_ECC is not set
 CONFIG_AMIGA_PARTITION=y
diff --git a/debian.master/config/i386/config.common.i386 b/debian.master/config/i386/config.common.i386
index b93051b26b43..d002cb217ce6 100644
--- a/debian.master/config/i386/config.common.i386
+++ b/debian.master/config/i386/config.common.i386
@@ -12,7 +12,6 @@ CONFIG_ADFS_FS=m
 CONFIG_AFFS_FS=m
 CONFIG_AIX_PARTITION=y
 CONFIG_ALIM7101_WDT=m
-CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ=y
 CONFIG_ALTERA_TSE=m
 CONFIG_AMD_XGBE_HAVE_ECC=y
 CONFIG_AMIGA_PARTITION=y
diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
index 79dc351ce53c..4d0268efa2ca 100644
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -363,7 +363,6 @@ static int uinput_create_device(struct uinput_device *udev)
  dev->flush = uinput_dev_flush;
  }
 
- dev->flags |= INPUTDEV_FLAGS_SYNTHETIC;
  dev->event = uinput_dev_event;
 
  input_set_drvdata(udev->dev, udev);
diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
index f72003937717..b674793be478 100644
--- a/drivers/tty/sysrq.c
+++ b/drivers/tty/sysrq.c
@@ -487,7 +487,6 @@ static struct sysrq_key_op *sysrq_key_table[36] = {
  /* x: May be registered on mips for TLB dump */
  /* x: May be registered on ppc/powerpc for xmon */
  /* x: May be registered on sparc64 for global PMU dump */
- /* x: May be registered on x86_64 for disabling secure boot */
  NULL, /* x */
  /* y: May be registered on sparc64 for global register dump */
  NULL, /* y */
@@ -531,7 +530,7 @@ static void __sysrq_put_key_op(int key, struct sysrq_key_op *op_p)
                 sysrq_key_table[i] = op_p;
 }
 
-void __handle_sysrq(int key, unsigned int from)
+void __handle_sysrq(int key, bool check_mask)
 {
  struct sysrq_key_op *op_p;
  int orig_log_level;
@@ -551,15 +550,11 @@ void __handle_sysrq(int key, unsigned int from)
 
         op_p = __sysrq_get_key_op(key);
         if (op_p) {
- /* Ban synthetic events from some sysrq functionality */
- if ((from == SYSRQ_FROM_PROC || from == SYSRQ_FROM_SYNTHETIC) &&
-    op_p->enable_mask & SYSRQ_DISABLE_USERSPACE) {
- printk("This sysrq operation is disabled from userspace.\n");
- } else if (from == SYSRQ_FROM_KERNEL || sysrq_on_mask(op_p->enable_mask)) {
- /*
- * Should we check for enabled operations (/proc/sysrq-trigger
- * should not) and is the invoked operation enabled?
- */
+ /*
+ * Should we check for enabled operations (/proc/sysrq-trigger
+ * should not) and is the invoked operation enabled?
+ */
+ if (!check_mask || sysrq_on_mask(op_p->enable_mask)) {
  pr_cont("%s\n", op_p->action_msg);
  console_loglevel = orig_log_level;
  op_p->handler(key);
@@ -591,7 +586,7 @@ void __handle_sysrq(int key, unsigned int from)
 void handle_sysrq(int key)
 {
  if (sysrq_on())
- __handle_sysrq(key, SYSRQ_FROM_KERNEL);
+ __handle_sysrq(key, true);
 }
 EXPORT_SYMBOL(handle_sysrq);
 
@@ -672,7 +667,7 @@ static void sysrq_do_reset(struct timer_list *t)
 static void sysrq_handle_reset_request(struct sysrq_state *state)
 {
  if (state->reset_requested)
- __handle_sysrq(sysrq_xlate[KEY_B], SYSRQ_FROM_KERNEL);
+ __handle_sysrq(sysrq_xlate[KEY_B], false);
 
  if (sysrq_reset_downtime_ms)
  mod_timer(&state->keyreset_timer,
@@ -823,10 +818,8 @@ static bool sysrq_handle_keypress(struct sysrq_state *sysrq,
 
  default:
  if (sysrq->active && value && value != 2) {
- int from = sysrq->handle.dev->flags & INPUTDEV_FLAGS_SYNTHETIC ?
- SYSRQ_FROM_SYNTHETIC : 0;
  sysrq->need_reinject = false;
- __handle_sysrq(sysrq_xlate[code], from);
+ __handle_sysrq(sysrq_xlate[code], true);
  }
  break;
  }
@@ -1109,7 +1102,7 @@ static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
 
  if (get_user(c, buf))
  return -EFAULT;
- __handle_sysrq(c, SYSRQ_FROM_PROC);
+ __handle_sysrq(c, false);
  }
 
  return count;
diff --git a/include/linux/input.h b/include/linux/input.h
index 38cd0ea72c37..7c7516eb7d76 100644
--- a/include/linux/input.h
+++ b/include/linux/input.h
@@ -42,7 +42,6 @@ struct input_value {
  * @phys: physical path to the device in the system hierarchy
  * @uniq: unique identification code for the device (if device has it)
  * @id: id of the device (struct input_id)
- * @flags: input device flags (SYNTHETIC, etc.)
  * @propbit: bitmap of device properties and quirks
  * @evbit: bitmap of types of events supported by the device (EV_KEY,
  * EV_REL, etc.)
@@ -125,8 +124,6 @@ struct input_dev {
  const char *uniq;
  struct input_id id;
 
- unsigned int flags;
-
  unsigned long propbit[BITS_TO_LONGS(INPUT_PROP_CNT)];
 
  unsigned long evbit[BITS_TO_LONGS(EV_CNT)];
@@ -193,8 +190,6 @@ struct input_dev {
 };
 #define to_input_dev(d) container_of(d, struct input_dev, dev)
 
-#define INPUTDEV_FLAGS_SYNTHETIC 0x000000001
-
 /*
  * Verify that we are in sync with input_device_id mod_devicetable.h #defines
  */
diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
index 7de1f08b60a9..8c71874e8485 100644
--- a/include/linux/sysrq.h
+++ b/include/linux/sysrq.h
@@ -29,8 +29,6 @@
 #define SYSRQ_ENABLE_BOOT 0x0080
 #define SYSRQ_ENABLE_RTNICE 0x0100
 
-#define SYSRQ_DISABLE_USERSPACE 0x00010000
-
 struct sysrq_key_op {
  void (*handler)(int);
  char *help_msg;
@@ -45,12 +43,8 @@ struct sysrq_key_op {
  * are available -- else NULL's).
  */
 
-#define SYSRQ_FROM_KERNEL 0x0001
-#define SYSRQ_FROM_PROC 0x0002
-#define SYSRQ_FROM_SYNTHETIC 0x0004
-
 void handle_sysrq(int key);
-void __handle_sysrq(int key, unsigned int from);
+void __handle_sysrq(int key, bool check_mask);
 int register_sysrq_key(int key, struct sysrq_key_op *op);
 int unregister_sysrq_key(int key, struct sysrq_key_op *op);
 struct sysrq_key_op *__sysrq_get_key_op(int key);
diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
index eb1779ea05a0..993db6b2348e 100644
--- a/kernel/debug/kdb/kdb_main.c
+++ b/kernel/debug/kdb/kdb_main.c
@@ -1985,7 +1985,7 @@ static int kdb_sr(int argc, const char **argv)
  return KDB_ARGCOUNT;
 
  kdb_trap_printk++;
- __handle_sysrq(*argv[1], check_mask ? SYSRQ_FROM_KERNEL : 0);
+ __handle_sysrq(*argv[1], check_mask);
  kdb_trap_printk--;
 
  return 0;
diff --git a/security/Kconfig b/security/Kconfig
index ffe994d38c23..103cb39baed2 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -267,13 +267,6 @@ config LOCK_DOWN_KERNEL
   turns off various features that might otherwise allow access to the
   kernel image (eg. setting MSR registers).
 
-config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- bool "Allow the kernel lockdown to be lifted by SysRq"
- depends on LOCK_DOWN_KERNEL && MAGIC_SYSRQ
- help
-  Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
-  combination on a wired keyboard.
-
 config LOCK_DOWN_IN_EFI_SECURE_BOOT
  bool "Lock down the kernel in EFI Secure Boot mode"
  default n
diff --git a/security/lock_down.c b/security/lock_down.c
index 527f7e51dc8d..0e2ffa4c8fbf 100644
--- a/security/lock_down.c
+++ b/security/lock_down.c
@@ -11,15 +11,9 @@
 
 #include <linux/security.h>
 #include <linux/export.h>
-#include <linux/sysrq.h>
 #include <linux/efi.h>
-#include <asm/setup.h>
 
-#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
-static __read_mostly bool kernel_locked_down;
-#else
 static __ro_after_init bool kernel_locked_down;
-#endif
 
 /*
  * Put the kernel into lock-down mode.
@@ -65,44 +59,3 @@ bool __kernel_is_locked_down(const char *what, bool first)
  return kernel_locked_down;
 }
 EXPORT_SYMBOL(__kernel_is_locked_down);
-
-#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
-
-/*
- * Take the kernel out of lockdown mode.
- */
-static void lift_kernel_lockdown(void)
-{
- pr_notice("Lifting lockdown\n");
- kernel_locked_down = false;
-}
-
-/*
- * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
- * echoing the appropriate letter into the sysrq-trigger file).
- */
-static void sysrq_handle_lockdown_lift(int key)
-{
- if (kernel_locked_down)
- lift_kernel_lockdown();
-}
-
-static struct sysrq_key_op lockdown_lift_sysrq_op = {
- .handler = sysrq_handle_lockdown_lift,
- .help_msg = "unSB(x)",
- .action_msg = "Disabling Secure Boot restrictions",
- .enable_mask = SYSRQ_DISABLE_USERSPACE,
-};
-
-static int __init lockdown_lift_sysrq(void)
-{
- if (kernel_locked_down) {
- lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
- register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
- }
- return 0;
-}
-
-late_initcall(lockdown_lift_sysrq);
-
-#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ */
--
2.17.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK[B/D/E/F]: [PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Sultan Alsawaf
In reply to this post by Tyler Hicks-2
On Fri, Feb 07, 2020 at 08:41:26PM +0000, Tyler Hicks wrote:

> BugLink: https://bugs.launchpad.net/bugs/1861238
>
> I've tested this patch by building a test kernel, generating and
> enrolling a Machine Owner Key, signing the test kernel and modules, and
> rebooting into the test kernel. Then I followed the [Test Case]
> documented below and then I verified that pressing alt-sysrq-x on my
> physical keyboard also resulted in the sysrq help message.
>
> [Impact]
>
> It's possible to turn off kernel lockdown by emulating a USB keyboard
> via USB/IP and sending an Alt+SysRq+X key combination through it.
>
> Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
> CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
> provided in the linux-extra-modules-* package.
>
> See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip
>
> [Test Case]
>
> $ git clone https://github.com/xairy/unlockdown.git
> $ cd unlockdown/01-usbip/
> $ sudo ./run.sh
> $ dmesg
>
> # Ensure there are no log entries talking about lifting lockdown:
> sysrq: SysRq : Disabling Secure Boot restrictions
> Lifting lockdown
>
> # You should see a SysRq help log entry because the Alt+SysRq+X
> # combination should be disabled
> sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
> terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
> thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
> show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
> show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
> force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
>
> [Regression Potential]
>
> Some users may see a usability regression due to the Lockdown lift sysrq
> combination being removed. Some users are known to disable lockdown,
> using the sysrq combination, in order to perform some "dangerous"
> operation such as writing to an MSR. It is believed that this is a small
> number of users but it is impossible to know for sure.
>
> Users that rely on this functionality may need to permanently disable
> secure boot using 'mokutil --disable-validation'.
>
> Tyler
>
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
>     kernel lockdown"
>
>  arch/x86/include/asm/setup.h                  |  2 -
>  .../config/amd64/config.common.amd64          |  1 -
>  debian.master/config/annotations              |  2 -
>  .../config/arm64/config.common.arm64          |  1 -
>  .../config/armhf/config.common.armhf          |  1 -
>  debian.master/config/i386/config.common.i386  |  1 -
>  drivers/input/misc/uinput.c                   |  1 -
>  drivers/tty/sysrq.c                           | 27 ++++-------
>  include/linux/input.h                         |  5 --
>  include/linux/sysrq.h                         |  8 +---
>  kernel/debug/kdb/kdb_main.c                   |  2 +-
>  security/Kconfig                              |  7 ---
>  security/lock_down.c                          | 47 -------------------
>  13 files changed, 12 insertions(+), 93 deletions(-)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Super-ack for all four flavors of this patch.

Acked-by: Sultan Alsawaf <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Kleber Souza
In reply to this post by Tyler Hicks-2
On 07.02.20 21:41, Tyler Hicks wrote:

> BugLink: https://bugs.launchpad.net/bugs/1861238
>
> I've tested this patch by building a test kernel, generating and
> enrolling a Machine Owner Key, signing the test kernel and modules, and
> rebooting into the test kernel. Then I followed the [Test Case]
> documented below and then I verified that pressing alt-sysrq-x on my
> physical keyboard also resulted in the sysrq help message.
>
> [Impact]
>
> It's possible to turn off kernel lockdown by emulating a USB keyboard
> via USB/IP and sending an Alt+SysRq+X key combination through it.
>
> Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
> CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
> provided in the linux-extra-modules-* package.
>
> See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip
>
> [Test Case]
>
> $ git clone https://github.com/xairy/unlockdown.git
> $ cd unlockdown/01-usbip/
> $ sudo ./run.sh
> $ dmesg
>
> # Ensure there are no log entries talking about lifting lockdown:
> sysrq: SysRq : Disabling Secure Boot restrictions
> Lifting lockdown
>
> # You should see a SysRq help log entry because the Alt+SysRq+X
> # combination should be disabled
> sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
> terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
> thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
> show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
> show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
> force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
>
> [Regression Potential]
>
> Some users may see a usability regression due to the Lockdown lift sysrq
> combination being removed. Some users are known to disable lockdown,
> using the sysrq combination, in order to perform some "dangerous"
> operation such as writing to an MSR. It is believed that this is a small
> number of users but it is impossible to know for sure.
>
> Users that rely on this functionality may need to permanently disable
> secure boot using 'mokutil --disable-validation'.
>
> Tyler
>
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
>     kernel lockdown"
>
>  arch/x86/include/asm/setup.h                  |  2 -
>  .../config/amd64/config.common.amd64          |  1 -
>  debian.master/config/annotations              |  2 -
>  .../config/arm64/config.common.arm64          |  1 -
>  .../config/armhf/config.common.armhf          |  1 -
>  debian.master/config/i386/config.common.i386  |  1 -
>  drivers/input/misc/uinput.c                   |  1 -
>  drivers/tty/sysrq.c                           | 27 ++++-------
>  include/linux/input.h                         |  5 --
>  include/linux/sysrq.h                         |  8 +---
>  kernel/debug/kdb/kdb_main.c                   |  2 +-
>  security/Kconfig                              |  7 ---
>  security/lock_down.c                          | 47 -------------------
>  13 files changed, 12 insertions(+), 93 deletions(-)
>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Kleber Souza
In reply to this post by Tyler Hicks-2
On 07.02.20 21:41, Tyler Hicks wrote:

> BugLink: https://bugs.launchpad.net/bugs/1861238
>
> I've tested this patch by building a test kernel, generating and
> enrolling a Machine Owner Key, signing the test kernel and modules, and
> rebooting into the test kernel. Then I followed the [Test Case]
> documented below and then I verified that pressing alt-sysrq-x on my
> physical keyboard also resulted in the sysrq help message.
>
> [Impact]
>
> It's possible to turn off kernel lockdown by emulating a USB keyboard
> via USB/IP and sending an Alt+SysRq+X key combination through it.
>
> Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
> CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
> provided in the linux-extra-modules-* package.
>
> See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip
>
> [Test Case]
>
> $ git clone https://github.com/xairy/unlockdown.git
> $ cd unlockdown/01-usbip/
> $ sudo ./run.sh
> $ dmesg
>
> # Ensure there are no log entries talking about lifting lockdown:
> sysrq: SysRq : Disabling Secure Boot restrictions
> Lifting lockdown
>
> # You should see a SysRq help log entry because the Alt+SysRq+X
> # combination should be disabled
> sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
> terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
> thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
> show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
> show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
> force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
>
> [Regression Potential]
>
> Some users may see a usability regression due to the Lockdown lift sysrq
> combination being removed. Some users are known to disable lockdown,
> using the sysrq combination, in order to perform some "dangerous"
> operation such as writing to an MSR. It is believed that this is a small
> number of users but it is impossible to know for sure.
>
> Users that rely on this functionality may need to permanently disable
> secure boot using 'mokutil --disable-validation'.
>
> Tyler
>
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
>     kernel lockdown"
>
>  arch/x86/include/asm/setup.h                  |  2 -
>  .../config/amd64/config.common.amd64          |  1 -
>  debian.master/config/annotations              |  2 -
>  .../config/arm64/config.common.arm64          |  1 -
>  .../config/armhf/config.common.armhf          |  1 -
>  debian.master/config/i386/config.common.i386  |  1 -
>  drivers/input/misc/uinput.c                   |  1 -
>  drivers/tty/sysrq.c                           | 27 ++++-------
>  include/linux/input.h                         |  5 --
>  include/linux/sysrq.h                         |  8 +---
>  kernel/debug/kdb/kdb_main.c                   |  2 +-
>  security/Kconfig                              |  7 ---
>  security/lock_down.c                          | 47 -------------------
>  13 files changed, 12 insertions(+), 93 deletions(-)
>

Applied to bionic/linux.

Thanks,
Kleber

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team