[PATCH 0/2][Cosmic] Fixes for module signature enforcement under lockdown

Seth Forshee seth.forshee at canonical.com
Fri Oct 26 17:55:14 UTC 2018 

BugLink: https://bugs.launchpad.net/bugs/1798863

The following patches fix a couple of issues related to enforcment of
module signatures when the kernel is in lockdown. One of these has been
assigned CVE-2018-18653.

Technically these are two separate issues, and it could be argued that
they should have separate bugs and patch submissions. However one issue
is masking the other, and fixing the CVE without the other fix could
lead to regressions, so in my opinion it's better to handle them as a
single issue.

== SRU Justification ==

Impact: An bug in the secure boot lockdown patches in the 18.10 kernel
causes the results of module signature verification to be ignored,
allowing modules with no signature or an invalid signature to be loaded.
A second bug results in the MOK not being trusted for signing modules,
but this bug has been masked by the first bug.

Fix: These bugs should be fixed together to avoid regressions in dkms
module loading under secure boot. First, fix the latter bug by trusting
keys in the kernel's secondary keyring for module signing. Then fix the
former bug by removing code related to trusting IMA signatures for
loading modules under kernel lockdown.

Test Case: Confirm the following behavior under kernel lockdown:

  1) Unsigned modules cannot be loaded.

  2) Modules signed with an untrusted key cannot be loaded.

  3) Modules signed with the kernel's ephemeral build-time key can be
     loaded.

  4) Modules signed with a MOK which has been enrolled with shim can be
     loaded.

I have tested to verify these conditions with the proposed fixes.

Regression Potential: This restores the behavior from previous Ubuntu
releases, so no regressions are expected wrt those releases. In some
cases modules that were loading under lockdown might no longer load, but
this is the intended behavior.

Thanks,
Seth

---

Seth Forshee (2):
  UBUNTU: SAUCE: (efi-lockdown) module: trust keys from secondary
    keyring for module signing
  UBUNTU: SAUCE: (efi-lockdown) module: remove support for deferring
    module signature verification to IMA

 kernel/module.c         | 16 ++++++----------
 kernel/module_signing.c |  2 +-
 2 files changed, 7 insertions(+), 11 deletions(-)

More information about the kernel-team mailing list