Public bug reported:
This is a spin off of LP 1855668 (see comment #11 there:)
Please could you pick up (in addition to the issue still pending) commit
69393cb03ccd ("powerpc/xmon: Restrict when kernel is locked down").
>From the pull-request that included it, the commit does the following:
- A change to xmon (our crash handler / pseudo-debugger) to restrict
it to read-only mode when the kernel is lockdown'ed, otherwise it's
trivial to drop into xmon and modify kernel data, such as the
lockdown state.
To exploit this you'd need to boot with command line including
'xmon=rw', as xmon isn't read-write by default on the Focal kernel, but
that's not exactly a challenge. I have used this to drop down from
lockdown=confidentiality to lockdown=none on 5.4.0-14-generic #17-Ubuntu
** Affects: ubuntu-power-systems
Importance: High
Assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
Status: Triaged
** Affects: linux (Ubuntu)
Importance: High
Assignee: Frank Heimes (fheimes)
Status: Triaged
** Tags: ppc64el
** Also affects: ubuntu-power-systems
Importance: Undecided
Status: New
** Changed in: ubuntu-power-systems
Status: New => Triaged
** Changed in: ubuntu-power-systems
Importance: Undecided => High
** Changed in: ubuntu-power-systems
Assignee: (unassigned) => Ubuntu on IBM Power Systems Bug Triage
(ubuntu-power-triage)
** Changed in: linux (Ubuntu)
Status: New => Triaged
** Changed in: linux (Ubuntu)
Importance: Undecided => High
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Frank Heimes (fheimes)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1863562
Title:
Restrict ppc64el xmon to read-only-mode if kernel is locked down
Status in The Ubuntu-power-systems project:
Triaged
Status in linux package in Ubuntu:
Triaged
Bug description:
This is a spin off of LP 1855668 (see comment #11 there:)
Please could you pick up (in addition to the issue still pending) commit
69393cb03ccd ("powerpc/xmon: Restrict when kernel is locked down").
From the pull-request that included it, the commit does the following:
- A change to xmon (our crash handler / pseudo-debugger) to restrict
it to read-only mode when the kernel is lockdown'ed, otherwise it's
trivial to drop into xmon and modify kernel data, such as the
lockdown state.
To exploit this you'd need to boot with command line including
'xmon=rw', as xmon isn't read-write by default on the Focal kernel,
but that's not exactly a challenge. I have used this to drop down from
lockdown=confidentiality to lockdown=none on 5.4.0-14-generic
#17-Ubuntu
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1863562/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
