APPLIED/cmnt: [PATCH 0/1][SRU][D] Root can lift kernel lockdown via USB/IP (LP: #1861238)

Fri Feb 14 10:36:18 UTC 2020

On 07.02.20 21:40, Tyler Hicks wrote:
> BugLink: https://bugs.launchpad.net/bugs/1861238
> 
> I've tested this patch by building a test kernel, generating and
> enrolling a Machine Owner Key, signing the test kernel and modules, and
> rebooting into the test kernel. Then I followed the [Test Case]
> documented below and then I verified that pressing alt-sysrq-x on my
> physical keyboard also resulted in the sysrq help message.
> 
> [Impact]
> 
> It's possible to turn off kernel lockdown by emulating a USB keyboard
> via USB/IP and sending an Alt+SysRq+X key combination through it.
> 
> Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and
> CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules
> provided in the linux-extra-modules-* package.
> 
> See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip
> 
> [Test Case]
> 
> $ git clone https://github.com/xairy/unlockdown.git
> $ cd unlockdown/01-usbip/
> $ sudo ./run.sh
> $ dmesg
> 
> # Ensure there are no log entries talking about lifting lockdown:
> sysrq: SysRq : Disabling Secure Boot restrictions
> Lifting lockdown
> 
> # You should see a SysRq help log entry because the Alt+SysRq+X
> # combination should be disabled
> sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c)
> terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i)
> thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l)
> show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p)
> show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u)
> force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)
> 
> [Regression Potential]
> 
> Some users may see a usability regression due to the Lockdown lift sysrq
> combination being removed. Some users are known to disable lockdown,
> using the sysrq combination, in order to perform some "dangerous"
> operation such as writing to an MSR. It is believed that this is a small
> number of users but it is impossible to know for sure.
> 
> Users that rely on this functionality may need to permanently disable
> secure boot using 'mokutil --disable-validation'.
> 
> Tyler
> 
> Tyler Hicks (1):
>   Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift
>     kernel lockdown"
> 
>  arch/x86/include/asm/setup.h              |  2 -
>  debian.master/config/annotations          |  2 -
>  debian.master/config/config.common.ubuntu |  1 -
>  drivers/input/misc/uinput.c               |  1 -
>  drivers/tty/sysrq.c                       | 27 +++++--------
>  include/linux/input.h                     |  5 ---
>  include/linux/sysrq.h                     |  8 +---
>  kernel/debug/kdb/kdb_main.c               |  2 +-
>  security/Kconfig                          | 10 -----
>  security/lock_down.c                      | 47 -----------------------
>  10 files changed, 12 insertions(+), 93 deletions(-)
> 

Applied to disco/linux, with Sultan's ACK sent on the other thread.

Thanks,
Kleber