APPLIED: [PATCH v2 0/2][Cosmic] Fixes for module signature enforcement under lockdown

Khaled Elmously khalid.elmously at canonical.com
Thu Nov 8 06:36:09 UTC 2018 

On 2018-10-29 09:50:01 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1798863
> 
> The following patches fix a couple of issues related to enforcment of
> module signatures when the kernel is in lockdown. One of these has been
> assigned CVE-2018-18653.
> 
> Technically these are two separate issues, and it could be argued that
> they should have separate bugs and patch submissions. However one issue
> is masking the other, and fixing the CVE without the other fix could
> lead to regressions, so in my opinion it's better to handle them as a
> single issue.
> 
> == SRU Justification ==
> 
> Impact: An bug in the secure boot lockdown patches in the 18.10 kernel
> causes the results of module signature verification to be ignored,
> allowing modules with no signature or an invalid signature to be loaded.
> A second bug results in the MOK not being trusted for signing modules,
> but this bug has been masked by the first bug.
> 
> Fix: These bugs should be fixed together to avoid regressions in dkms
> module loading under secure boot. First, fix the latter bug by trusting
> keys in the kernel's secondary keyring for module signing. Then fix the
> former bug by removing code related to trusting IMA signatures for
> loading modules under kernel lockdown.
> 
> Test Case: Confirm the following behavior under kernel lockdown:
> 
>   1) Unsigned modules cannot be loaded.
> 
>   2) Modules signed with an untrusted key cannot be loaded.
> 
>   3) Modules signed with the kernel's ephemeral build-time key can be
>      loaded.
> 
>   4) Modules signed with a MOK which has been enrolled with shim can be
>      loaded.
> 
> I have tested to verify these conditions with the proposed fixes.
> 
> Regression Potential: This restores the behavior from previous Ubuntu
> releases, so no regressions are expected wrt those releases. In some
> cases modules that were loading under lockdown might no longer load, but
> this is the intended behavior.
> 
> Thanks,
> Seth
> 
> Changes since v1:
>  - Use VERIFY_USE_SECONDARY_KEYRING instead of hard-coded value.
>  - Remove CVE id from first patch.
> 
> ---
> 
> Seth Forshee (2):
>   UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary
>     keyring for module signing
>   UBUNTU: SAUCE: (efi-lockdown) module: remove support for deferring
>     module signature verification to IMA
> 
>  kernel/module.c         | 16 ++++++----------
>  kernel/module_signing.c |  3 ++-
>  2 files changed, 8 insertions(+), 11 deletions(-)
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list