[PATCH 0/1][SRU][E] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Tyler Hicks tyhicks at canonical.com
Fri Feb 7 20:40:04 UTC 2020

BugLink: https://bugs.launchpad.net/bugs/1861238

I've tested this patch by building a test kernel, generating and
enrolling a Machine Owner Key, signing the test kernel and modules, and
rebooting into the test kernel. Then I followed the [Test Case]
documented below and then I verified that pressing alt-sysrq-x on my
physical keyboard also resulted in the sysrq help message.


It's possible to turn off kernel lockdown by emulating a USB keyboard
via USB/IP and sending an Alt+SysRq+X key combination through it.

Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
provided in the linux-extra-modules-* package.

See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip

[Test Case]

$ git clone https://github.com/xairy/unlockdown.git
$ cd unlockdown/01-usbip/
$ sudo ./run.sh
$ dmesg

# Ensure there are no log entries talking about lifting lockdown:
sysrq: SysRq : Disabling Secure Boot restrictions
Lifting lockdown

# You should see a SysRq help log entry because the Alt+SysRq+X
# combination should be disabled
sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)

[Regression Potential]

Some users may see a usability regression due to the Lockdown lift sysrq
combination being removed. Some users are known to disable lockdown,
using the sysrq combination, in order to perform some "dangerous"
operation such as writing to an MSR. It is believed that this is a small
number of users but it is impossible to know for sure.

Users that rely on this functionality may need to permanently disable
secure boot using 'mokutil --disable-validation'.


Tyler Hicks (1):
  Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
    kernel lockdown"

 arch/x86/include/asm/setup.h              |  2 -
 debian.master/config/annotations          |  1 -
 debian.master/config/config.common.ubuntu |  1 -
 drivers/input/misc/uinput.c               |  1 -
 drivers/tty/sysrq.c                       | 27 +++++--------
 include/linux/input.h                     |  5 ---
 include/linux/sysrq.h                     |  8 +---
 kernel/debug/kdb/kdb_main.c               |  2 +-
 security/Kconfig                          | 10 -----
 security/lock_down.c                      | 47 -----------------------
 10 files changed, 12 insertions(+), 92 deletions(-)


More information about the kernel-team mailing list