APPLIED: [PATCH 0/2][SRU][B/D/E] Don't allow lifting of lockdown via /proc/sysrq-trigger

Khaled Elmously khalid.elmously at
Thu Nov 7 01:06:27 UTC 2019

On 2019-11-05 14:35:03 , Seth Forshee wrote:
> BugLink:
> SRU Justification
> Impact: The kernel lockdown support adds a sysrq to allow a physically
> present user to disable lockdown from the keyboard. A bug in the
> implementation makes it possible to also lift lockdown by writing to
> /proc/sysrq-trigger.
> Fix: Correct the logic to disallow disabling lockdown via
> /proc/sysrq-trigger.
> Test Case: Write "x" to /proc/sysrq-trigger. When working properly there
> should be no messages in dmesg about lifting lockdown, and lockdown
> restrictions (e.g. loading unsigned modules) should remain in effect.
> Regression Potential: Anyone using /proc/sysrq-trigger to disable
> lockdown will no longer be able to do so. Implementation bugs could
> prevent use of the sysrq from the keyboard from disabling lockdown, but
> this has been confrimed to still work with the fix in place.
> Note that xenial uses an older implementation of these patches which
> does not have any sysrq mechanism for lifting lockdown, and thus it is
> not affected.
> Thanks,
> Seth
> -- 
> kernel-team mailing list
> kernel-team at

More information about the kernel-team mailing list