ACK: [PATCH 0/1][SRU][B] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Thu Feb 13 17:42:14 UTC 2020

On 07.02.20 21:41, Tyler Hicks wrote:
> BugLink: https://bugs.launchpad.net/bugs/1861238
> 
> I've tested this patch by building a test kernel, generating and
> enrolling a Machine Owner Key, signing the test kernel and modules, and
> rebooting into the test kernel. Then I followed the [Test Case]
> documented below and then I verified that pressing alt-sysrq-x on my
> physical keyboard also resulted in the sysrq help message.
> 
> [Impact]
> 
> It's possible to turn off kernel lockdown by emulating a USB keyboard
> via USB/IP and sending an Alt+SysRq+X key combination through it.
> 
> Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
> CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
> provided in the linux-extra-modules-* package.
> 
> See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip
> 
> [Test Case]
> 
> $ git clone https://github.com/xairy/unlockdown.git
> $ cd unlockdown/01-usbip/
> $ sudo ./run.sh
> $ dmesg
> 
> # Ensure there are no log entries talking about lifting lockdown:
> sysrq: SysRq : Disabling Secure Boot restrictions
> Lifting lockdown
> 
> # You should see a SysRq help log entry because the Alt+SysRq+X
> # combination should be disabled
> sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
> terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
> thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
> show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
> show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
> force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
> 
> [Regression Potential]
> 
> Some users may see a usability regression due to the Lockdown lift sysrq
> combination being removed. Some users are known to disable lockdown,
> using the sysrq combination, in order to perform some "dangerous"
> operation such as writing to an MSR. It is believed that this is a small
> number of users but it is impossible to know for sure.
> 
> Users that rely on this functionality may need to permanently disable
> secure boot using 'mokutil --disable-validation'.
> 
> Tyler
> 
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
>     kernel lockdown"
> 
>  arch/x86/include/asm/setup.h                  |  2 -
>  .../config/amd64/config.common.amd64          |  1 -
>  debian.master/config/annotations              |  2 -
>  .../config/arm64/config.common.arm64          |  1 -
>  .../config/armhf/config.common.armhf          |  1 -
>  debian.master/config/i386/config.common.i386  |  1 -
>  drivers/input/misc/uinput.c                   |  1 -
>  drivers/tty/sysrq.c                           | 27 ++++-------
>  include/linux/input.h                         |  5 --
>  include/linux/sysrq.h                         |  8 +---
>  kernel/debug/kdb/kdb_main.c                   |  2 +-
>  security/Kconfig                              |  7 ---
>  security/lock_down.c                          | 47 -------------------
>  13 files changed, 12 insertions(+), 93 deletions(-)
> 

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>