Your message dated Tue, 18 Jun 2019 10:52:03 +0000 with message-id <[email protected]> and subject line Bug#929583: fixed in linux 4.19.37-4 has caused the Debian Bug report #929583, regarding linux-image-5.0.0-trunk-amd64: Please build with CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 929583: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929583 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: src:linux Version: 5.0.2-1~exp1 Severity: severe Please build Debian kernels with CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ enabled. I have a laptop with UEFI Secure Boot support. I dual-boot Windows and I also want to use Secure Boot to make sure that Debian kernels are running. Beyond that, I'd like no restrictions on my own ability to develop kernel modules without having to reboot to disable Secure Boot, or having to build my own kernels with my own keys and also having to figure out how to sign and load kernel modules just to fix bugs. (It also seems dubious to be signing half-finished modules, which haven't been vetted for security, during the development process.) Currently, on systems with Secure Boot enabled, it is difficult or impossible to build and load custom kernel modules without disabling UEFI Secure Boot entirely. The ostensible purpose of UEFI Secure boot is to prevent unsigned, malicious bootloaders from subverting the operating system without the end-user's awareness. It can also be used by hardware manufacturers to lock down machines against users who wish to load their own kernel modules, but that purpose is not compatible with Debian's Social Contract ("4. Our priorities are our users and free software"), and Debian should not be complicit in this. IMO if Debian is shipping Secure Boot-compatibled signed kernels at all, Debian must also provide end-users with the ability to load their own kernel-mode code with Secure Boot enabled. shim, which is signed by Microsoft, already allows users to load keys (and thus execute arbitrary kernel-mode code) once the user has given their affirmative consent to do so. Nothing should stop Debian from doing likewise, and that's what the ALLOW_LOCKDOWN_LIFT_BY_SYSRQ config option does. The upstream kernel maintainers have expressed opposition to tying UEFI Secure Boot to lockdown mode in the first place, and much of the the justification for supporting Secure Boot -> Lockdown in a FOSS kernel at all has been that this sysrq key combination would be available to users. Currently, this is not the case in Debian signed kernels. Since buster reportedly will ship signed kernels, and since I believe the status quo violates the Social Contract (and that it would be a shame if buster shipped in a form that allowed Debian-signed kernels to be used to help hardware manufacturers assert control over end-users restrict users on their own hardware), I have marked this bug with a release-critical severity. -- Package-specific info: ** Version: Linux version 5.0.0-trunk-amd64 ([email protected]) (gcc version 8.3.0 (Debian 8.3.0-3)) #1 SMP Debian 5.0.2-1~exp1 (2019-03-18) ** Model information sys_vendor: LENOVO product_name: 20MUCTO1WW product_version: ThinkPad A485 chassis_vendor: LENOVO chassis_version: None bios_vendor: LENOVO bios_version: R0WET48W (1.16 ) board_vendor: LENOVO board_name: 20MUCTO1WW board_version: SDK0J40697 WIN ** Loaded modules: cpuid ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs dm_snapshot dm_bufio cmac rfcomm bnep vmw_vsock_vmci_transport vsock vmw_vmci pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) ctr ccm devlink nf_tables nfnetlink squashfs overlay cpufreq_userspace cpufreq_powersave cpufreq_conservative edac_mce_amd kvm_amd ccp kvm binfmt_misc btusb btrtl btbcm uvcvideo hid_multitouch nls_ascii btintel nls_cp437 vfat fat bluetooth videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev media drbg ansi_cprng ecdh_generic irqbypass joydev efi_pstore snd_hda_codec_realtek snd_hda_codec_generic arc4 snd_hda_codec_hdmi bfq efivars serio_raw r8822be(C) snd_hda_intel tpm_crb sg wmi_bmof snd_hda_codec k10temp snd_hda_core mac80211 snd_hwdep sp5100_tco thinkpad_acpi snd_pcm nvram tpm_tis snd_timer ledtrig_audio snd ipmi_devintf rtsx_pci_ms tpm_tis_core cfg80211 ipmi_msghandler ucsi_acpi typec_ucsi soundcore memstick tpm typec rfkill rng_core ext4 ac battery crc16 mbcache jbd2 crc32c_generic fscrypto pcc_cpufreq evdev ecb acpi_cpufreq loop cuse vmwgfx fuse parport_pc ppdev lp parport efivarfs ip_tables x_tables autofs4 btrfs zstd_decompress zstd_compress algif_skcipher af_alg hid_generic usbhid hid dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear md_mod sd_mod crct10dif_pclmul crc32_pclmul crc32c_intel rtsx_pci_sdmmc ghash_clmulni_intel mmc_core amdgpu aesni_intel chash gpu_sched i2c_algo_bit ahci ttm libahci aes_x86_64 crypto_simd cryptd xhci_pci drm_kms_helper libata glue_helper ehci_pci xhci_hcd psmouse ehci_hcd drm scsi_mod usbcore i2c_piix4 r8169 realtek libphy usb_common rtsx_pci wmi video i2c_scmi button -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages linux-image-5.0.0-trunk-amd64 depends on: ii initramfs-tools [linux-initramfs-tool] 0.133 ii kmod 26-1 ii linux-base 4.6 Versions of packages linux-image-5.0.0-trunk-amd64 recommends: ii apparmor 2.13.2-10 ii firmware-linux-free 3.4 ii irqbalance 1.5.0-4 Versions of packages linux-image-5.0.0-trunk-amd64 suggests: pn debian-kernel-handbook <none> ii extlinux 3:6.04~git20190206.bf6db5b4+dfsg1-1 ii grub-efi-amd64 2.02+dfsg1-18 pn linux-doc-5.0 <none> Versions of packages linux-image-5.0.0-trunk-amd64 is related to: ii firmware-amd-graphics 20190502-1 pn firmware-atheros <none> pn firmware-bnx2 <none> pn firmware-bnx2x <none> ii firmware-brcm80211 20190502-1 pn firmware-cavium <none> pn firmware-intel-sound <none> pn firmware-intelwimax <none> pn firmware-ipw2x00 <none> pn firmware-ivtv <none> pn firmware-iwlwifi <none> pn firmware-libertas <none> ii firmware-linux-nonfree 20190502-1 ii firmware-misc-nonfree 20190502-1 pn firmware-myricom <none> pn firmware-netxen <none> pn firmware-qlogic <none> ii firmware-realtek 20190502-1 pn firmware-samsung <none> pn firmware-siano <none> pn firmware-ti-connectivity <none> pn xen-hypervisor <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: linux Source-Version: 4.19.37-4 We believe that the bug you reported is fixed in the latest version of linux, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ben Hutchings <[email protected]> (supplier of updated linux package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 17 Jun 2019 20:00:22 +0100 Source: linux Architecture: source Version: 4.19.37-4 Distribution: unstable Urgency: high Maintainer: Debian Kernel Team <[email protected]> Changed-By: Ben Hutchings <[email protected]> Closes: 929187 929366 929583 Changes: linux (4.19.37-4) unstable; urgency=high . [ Ben Hutchings ] * libbpf: Fix various build bugs: - Drop unnecessary changes from "libbpf: add SONAME to shared object" - libbpf: Use only 2 components in soversion, matching package name (Closes: #929187) - libbpf: Build out-of-tree * README.source: Document the various makefiles and use of out-of-tree builds * [x86] lockdown,sysrq: Enable ALLOW_LOCKDOWN_LIFT_BY_SYSRQ (Closes: #929583) * mwifiex: Fix possible buffer overflows at parsing bss descriptor (CVE-2019-3846) * mwifiex: Abort at too short BSS descriptor element * mwifiex: Don't abort on small, spec-compliant vendor IEs * mm/mincore.c: make mincore() more conservative (CVE-2019-5489) * mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies() (CVE-2019-10126) * tcp: limit payload size of sacked skbs (CVE-2019-11477) * tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478) * tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479) * tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() . [ Romain Perier ] * [rt] Update to 4.19.37-rt20: - powerpc/pseries/iommu: Use a locallock instead local_irq_save() - powerpc: reshuffle TIF bits - tty/sysrq: Convert show_lock to raw_spinlock_t - drm/i915: Don't disable interrupts independently of the lock - sched/completion: Fix a lockup in wait_for_completion() . [ Salvatore Bonaccorso ] * brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500) * brcmfmac: add subtype check for event handling in data path (CVE-2019-9503) * ext4: zero out the unused memory region in the extent tree block (CVE-2019-11833) * Bluetooth: hidp: fix buffer overflow (CVE-2019-11884) . [ Aurelien Jarno ] * [mips] Correctly bounds check virt_addr_valid (Closes: #929366) . [ John Paul Adrian Glaubitz ] * [sparc64] udeb: Disable suffix for kernel-image . [ Alper Nebi Yasak ] * udeb: input-modules: Include all keyboard driver modules * [arm64] udeb: kernel-image: Include cros_ec_spi and SPI drivers * [arm64] udeb: kernel-image: Include phy-rockchip-pcie * [arm64] udeb: usb-modules: Include phy-rockchip-typec, extcon-usbc-cros-ec * [arm64] udeb: mmc-modules: Include phy-rockchip-emmc * [arm64] udeb: fb-modules: Include rockchipdrm, panel-simple, pwm_bl and pwm-cros-ec Checksums-Sha1: dcf867c9dc110ea87230e9b58630970cfc9ee411 189124 linux_4.19.37-4.dsc ded214f43499ae130f9ff7a2972fd7f494ca2568 1241912 linux_4.19.37-4.debian.tar.xz 9404c2b3d16287bb79b1efec7e87e2a5d073fd55 47317 linux_4.19.37-4_source.buildinfo Checksums-Sha256: dc1b500e98085b5a29c9d3e82daba1d9114e15a159033ae5f50f38a652cd9dc2 189124 linux_4.19.37-4.dsc 0c68371af4e95eb51af66020fc339fdbdef0c88dfbb6e087224e0515972efeec 1241912 linux_4.19.37-4.debian.tar.xz e52e5a1d71abcf1259e8dc408c49b813a03c307104ca7aafeadbe63fdfea4e09 47317 linux_4.19.37-4_source.buildinfo Files: 5b632121885d3906853df87d927bbe6f 189124 kernel optional linux_4.19.37-4.dsc c076916392da0a3c3aa6f64b8c233323 1241912 kernel optional linux_4.19.37-4.debian.tar.xz a4ee5796862e252bb0ed583edb892af9 47317 kernel optional linux_4.19.37-4_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl0Iv4AACgkQ57/I7JWG EQnypA/9FGqDiPSxXbf1ipqOQ7WqsVCwo2m8Dim9XH29FbAnNmqXfyGJZAIpDuIF opK0NlLXHT/3Tyw2gNlvoofIlk7kBbObLSMm42sBqnPFRpu4QN7U0vh/gfwkFEN6 yb0pjD6F0CbXlauV8eYsGrhg9HbYXYIDzEIcxdPfEgpE4eXx8LDWDU2Q292dHlDC YYnxQurEypoUxHAMAhgcjcP6ay9M5fMrodC9XbcHzuF3j/iyO8aIu0rjctiyWH6O LtbUfBhI2cA13+Fy7UVWnh8ahyYVbm8QEb3qXM0URU8oW9VEcRWWXsyM99N0duM2 LCXOpjsPO4kOo2hC7U2/MG/opAh0Lt/An9rnspGoHjV3pi1BljmfUkqT1JVQ7OoG fSs9+zzjaushpm0yUxhzujc2ViUS/6OixP3pQojuTBgpgkELMgIUOnWj9Zjpt3gF t8Ne7YGPrpJHKJUJG9TJbfJ77AQm8xR3AlshvTOH5SQGl3Kf8EemsMWpcHcETJbs cRFELY/B1ug67Upvx+boOJLWPeoZV0pL6JqPj6s/K/YLDFuS2opKJx2HHy8R0rRy lhEiHLZYw4MACyIce5ejYNQm7iBYRd9nnRMPu8wpg6DpmWoKtUUdv3co2B7REps7 46fgUY/q6wiP6/5zrVtYpA753f2LOmgttdGwUHC+OUlVAVyGcKQ= =1jQi -----END PGP SIGNATURE-----
--- End Message ---
