APPLIED: [PATCH v2 0/2][Cosmic] Fixes for module signature enforcement under lockdown
khalid.elmously at canonical.com
Thu Nov 8 06:36:09 UTC 2018
On 2018-10-29 09:50:01 , Seth Forshee wrote:
> BugLink: https://bugs.launchpad.net/bugs/1798863
> The following patches fix a couple of issues related to enforcment of
> module signatures when the kernel is in lockdown. One of these has been
> assigned CVE-2018-18653.
> Technically these are two separate issues, and it could be argued that
> they should have separate bugs and patch submissions. However one issue
> is masking the other, and fixing the CVE without the other fix could
> lead to regressions, so in my opinion it's better to handle them as a
> single issue.
> == SRU Justification ==
> Impact: An bug in the secure boot lockdown patches in the 18.10 kernel
> causes the results of module signature verification to be ignored,
> allowing modules with no signature or an invalid signature to be loaded.
> A second bug results in the MOK not being trusted for signing modules,
> but this bug has been masked by the first bug.
> Fix: These bugs should be fixed together to avoid regressions in dkms
> module loading under secure boot. First, fix the latter bug by trusting
> keys in the kernel's secondary keyring for module signing. Then fix the
> former bug by removing code related to trusting IMA signatures for
> loading modules under kernel lockdown.
> Test Case: Confirm the following behavior under kernel lockdown:
> 1) Unsigned modules cannot be loaded.
> 2) Modules signed with an untrusted key cannot be loaded.
> 3) Modules signed with the kernel's ephemeral build-time key can be
> 4) Modules signed with a MOK which has been enrolled with shim can be
> I have tested to verify these conditions with the proposed fixes.
> Regression Potential: This restores the behavior from previous Ubuntu
> releases, so no regressions are expected wrt those releases. In some
> cases modules that were loading under lockdown might no longer load, but
> this is the intended behavior.
> Changes since v1:
> - Use VERIFY_USE_SECONDARY_KEYRING instead of hard-coded value.
> - Remove CVE id from first patch.
> Seth Forshee (2):
> UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary
> keyring for module signing
> UBUNTU: SAUCE: (efi-lockdown) module: remove support for deferring
> module signature verification to IMA
> kernel/module.c | 16 ++++++----------
> kernel/module_signing.c | 3 ++-
> 2 files changed, 8 insertions(+), 11 deletions(-)
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
More information about the kernel-team