Bug#947021: marked as done (linux-image-4.19.0-6-amd64: root can lift kernel lockdown)
Your message dated Mon, 27 Apr 2020 04:00:09 + with message-id and subject line Bug#947021: fixed in linux 4.19.118-1 has caused the Debian Bug report #947021, regarding linux-image-4.19.0-6-amd64: root can lift kernel lockdown to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947021 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:linux Version: 4.19.67-2+deb10u2 Severity: normal Dear Maintainer, echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even though it shouldn't. Kernel lockdown is meant to create a barrier between root and the kernel that can only be broken with physical access to the system. But a bug in debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch allows root to easily circumvent this security measure: vagrant@buster:~$ cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown vagrant@buster:~$ sudo dmesg | grep locked [0.00] Kernel is locked down from command line; see https://wiki.debian.org/SecureBoot vagrant@buster:~$ sudo sysctl kernel.sysrq=1 kernel.sysrq = 1 vagrant@buster:~$ sudo sh -c "echo x > /proc/sysrq-trigger" vagrant@buster:~$ sudo dmesg | tail [3.050592] vboxvideo :00:02.0: fb0: vboxdrmfb frame buffer device [3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for :00:02.0 on minor 0 [3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS [5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX [5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 42.660726] sysrq: SysRq : [ 42.660728] This sysrq operation is disabled from userspace. [ 42.660797] Disabling Secure Boot restrictions [ 42.660830] Lifting lockdown I already reported this bug to Ubuntu at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380 but it also affects Debian. (There's a bit more context and a patch in that bug report.) Looking at the patch on salsa I think that this bug doesn't just exist in Buster, but that's the version I used to test it. Best regards, Niklas Sombert -- Package-specific info: ** Version: Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) ** Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown ** Tainted: C (1024) * Module from drivers/staging has been loaded. ** Kernel log: [1.080252] Loading compiled-in X.509 certificates [1.123039] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [1.123062] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def' [1.123095] zswap: loaded using pool lzo/zbud [1.123659] AppArmor: AppArmor sha1 policy hashing enabled [1.124095] rtc_cmos rtc_cmos: setting system clock to 2019-12-19 14:23:08 UTC (1576765388) [1.124123] Lockdown: Hibernation is restricted; see https://wiki.debian.org/SecureBoot [1.125951] Freeing unused kernel image memory: 1584K [1.148274] Write protecting the kernel read-only data: 16384k [1.150291] Freeing unused kernel image memory: 2028K [1.150967] Freeing unused kernel image memory: 772K [1.165327] x86/mm: Checked W+X mappings: passed, no W+X pages found. [1.165329] x86/mm: Checking user space page tables [1.173508] x86/mm: Checked W+X mappings: passed, no W+X pages found. [1.173511] Run /init as init process [1.274579] piix4_smbus :00:07.0: SMBus Host Controller at 0x4100, revision 0 [1.280038] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI [1.280040] e1000: Copyright (c) 1999-2006 Intel Corporation. [1.288044] SCSI subsystem initialized [1.297356] FDC 0 is an 82078. [1.306225] cryptd: max_cpu_qlen set to 1000 [1.317316] libata version 3.00 loaded. [1.323785] ahci :00:0d.0: version 3.0 [1.324687] ahci :00:0d.0: SSS flag set, parallel bus scan disabled [1.324882] ahci :00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode [1.324884] ahci :00:0d.0: flags: 64bit ncq stag only ccc [1.325243] scsi host0: ahci [1.325387] ata1: SATA max UDMA/133 abar m8192@0xf0804000 port 0xf0804100 irq 21 [1.336127] AVX2 version of gcm_enc/dec
Bug#947021: marked as done (linux-image-4.19.0-6-amd64: root can lift kernel lockdown)
Your message dated Mon, 30 Mar 2020 08:10:09 + with message-id and subject line Bug#947021: fixed in linux 5.5.13-1 has caused the Debian Bug report #947021, regarding linux-image-4.19.0-6-amd64: root can lift kernel lockdown to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 947021: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947021 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: src:linux Version: 4.19.67-2+deb10u2 Severity: normal Dear Maintainer, echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even though it shouldn't. Kernel lockdown is meant to create a barrier between root and the kernel that can only be broken with physical access to the system. But a bug in debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch allows root to easily circumvent this security measure: vagrant@buster:~$ cat /proc/cmdline BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown vagrant@buster:~$ sudo dmesg | grep locked [0.00] Kernel is locked down from command line; see https://wiki.debian.org/SecureBoot vagrant@buster:~$ sudo sysctl kernel.sysrq=1 kernel.sysrq = 1 vagrant@buster:~$ sudo sh -c "echo x > /proc/sysrq-trigger" vagrant@buster:~$ sudo dmesg | tail [3.050592] vboxvideo :00:02.0: fb0: vboxdrmfb frame buffer device [3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for :00:02.0 on minor 0 [3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS [5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX [5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready [ 42.660726] sysrq: SysRq : [ 42.660728] This sysrq operation is disabled from userspace. [ 42.660797] Disabling Secure Boot restrictions [ 42.660830] Lifting lockdown I already reported this bug to Ubuntu at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380 but it also affects Debian. (There's a bit more context and a patch in that bug report.) Looking at the patch on salsa I think that this bug doesn't just exist in Buster, but that's the version I used to test it. Best regards, Niklas Sombert -- Package-specific info: ** Version: Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) ** Command line: BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown ** Tainted: C (1024) * Module from drivers/staging has been loaded. ** Kernel log: [1.080252] Loading compiled-in X.509 certificates [1.123039] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1' [1.123062] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def' [1.123095] zswap: loaded using pool lzo/zbud [1.123659] AppArmor: AppArmor sha1 policy hashing enabled [1.124095] rtc_cmos rtc_cmos: setting system clock to 2019-12-19 14:23:08 UTC (1576765388) [1.124123] Lockdown: Hibernation is restricted; see https://wiki.debian.org/SecureBoot [1.125951] Freeing unused kernel image memory: 1584K [1.148274] Write protecting the kernel read-only data: 16384k [1.150291] Freeing unused kernel image memory: 2028K [1.150967] Freeing unused kernel image memory: 772K [1.165327] x86/mm: Checked W+X mappings: passed, no W+X pages found. [1.165329] x86/mm: Checking user space page tables [1.173508] x86/mm: Checked W+X mappings: passed, no W+X pages found. [1.173511] Run /init as init process [1.274579] piix4_smbus :00:07.0: SMBus Host Controller at 0x4100, revision 0 [1.280038] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI [1.280040] e1000: Copyright (c) 1999-2006 Intel Corporation. [1.288044] SCSI subsystem initialized [1.297356] FDC 0 is an 82078. [1.306225] cryptd: max_cpu_qlen set to 1000 [1.317316] libata version 3.00 loaded. [1.323785] ahci :00:0d.0: version 3.0 [1.324687] ahci :00:0d.0: SSS flag set, parallel bus scan disabled [1.324882] ahci :00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode [1.324884] ahci :00:0d.0: flags: 64bit ncq stag only ccc [1.325243] scsi host0: ahci [1.325387] ata1: SATA max UDMA/133 abar m8192@0xf0804000 port 0xf0804100 irq 21 [1.336127] AVX2 version of gcm_enc/dec