[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-04-06 11:28 EDT--- I tested the ppa kernel patch which links secureboot with lockdown. When secureboot is disabled: ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown [none] integrity confidentiality When secureboot is enabled: ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown none [integrity] confidentiality It does move to integrity lockdown mode. Daniel helped with testing the lockdown functionality itself in secureboot enabled state. Here are his test results: xmon is in read-only mode. 54:mon> ls is_ppc_secureboot_enabled is_ppc_secureboot_enabled: c0085430 54:mon> b c0085430 Operation disabled: xmon in read-only mode 54:mon> /dev/mem is blocked: root@ltc-wspoon13:/boot# cat /dev/mem cat: /dev/mem: Operation not permitted root@ltc-wspoon13:/boot# dmesg|tail ... [ 991.917345] Lockdown: cat: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7 He also ensured that kexec load is disabled and can boot successfully to a signed kernel if the key is present in the keyring. Thank Daniel for the linking patch between secureboot and lockdown. And also for the quick testing of lockdown itself. Thanks to Canonical team for respining the kernel with the updated patch from Daniel. Thanks to Michael for his support throughout this work. Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-04-06 09:26 EDT--- Hi, This works as expected on a machine with secure boot disabled in hardware: dja@talos2:~$ uname -a Linux talos2 5.4.0-21-generic #25+lp1866909v202004031128-Ubuntu SMP Fri Apr 3 18:38:30 UTC 202 ppc64le ppc64le ppc64le GNU/Linux dja@talos2:~$ sudo cat /sys/kernel/security/lockdown [none] integrity confidentiality I don't have access to a system with end-to-end secure boot enabled - Nayna will post test results for that. Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-03-27 11:17 EDT--- Hi, Thanks for the quick response. I have one question based on your statement - "prior to 20.04 the secure-boot lockdown in Ubuntu was largely based on Matthew Garrett patch set." Q. Is the lockdown enabled during build ? And if yes, in which mode INTEGRITY/CONFIDENTIALITY ? Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2020-03-27 10:03 EDT--- I would like to understand that with new lockdown patches upstreamed now, * Is Ubuntu still going to carry a patch linking secureboot with lockdown ? If yes, would you be doing same for powerpc ? * Is Ubuntu going to enable lockdown during build time ? If yes, then in which mode - INTEGRITY or CONFIDENTIALITY. ? Thanks & Regards, - Nayna -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-02-17 00:27 EDT--- Hi, I'm sorry, I thought I had already mentioned this but it was a case of me getting projects and teams mixed up. Please could you pick up (in addition to the issue still pending) commit 69393cb03ccd ("powerpc/xmon: Restrict when kernel is locked down"). >From the pull-request that included it, the commit does the following: - A change to xmon (our crash handler / pseudo-debugger) to restrict it to read-only mode when the kernel is lockdown'ed, otherwise it's trivial to drop into xmon and modify kernel data, such as the lockdown state. To exploit this you'd need to boot with command line including 'xmon=rw', as xmon isn't read-write by default on the Focal kernel, but that's not exactly a challenge. I have used this to drop down from lockdown=confidentiality to lockdown=none on 5.4.0-14-generic #17-Ubuntu Regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-02-16 22:34 EDT--- Hi, I'm going to ask you to hold this open for a little bit - we're investigating internally another ppcism that may need additional lockdown support. In the mean time I will test the kernel in -proposed. Kind regards, Daniel -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From mranw...@us.ibm.com 2020-02-10 01:28 EDT--- I tried this out with the latest kernel in proposed. It looks like the -14 kernel picked up commit a356646a56857c2e5ad875beec734d7145ecd49a and that got rid of the warns. I tired access to /dev/mem and got correct results. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From daniel.axte...@ibm.com 2020-01-09 00:14 EDT--- Hi, Apologies for the delay. I installed the most recent kernel, modules and extra modules I could find from that PPA on a p8 kvm guest. dja@dja-guest:~$ uname -a Linux dja-guest 5.4.0-9-generic #12-Ubuntu SMP Mon Dec 16 22:32:07 UTC 2019 ppc64le ppc64le ppc64le GNU/Linux The kernel boots fine with no additional command line options, but if booted with lockdown=confidentiality, it has a lot of issues. Firstly, there are a flood of lines like [0.265197] Could not create tracefs 'set_ftrace_pid' entry [0.265247] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 for various tracefs entries Then there are 2 splats: [0.265868] Could not create tracefs 'set_graph_function' entry [0.265931] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.266005] Could not create tracefs 'set_graph_notrace' entry [0.266070] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.266145] [ cut here ] [0.266195] Could not register function stat for cpu 0 [0.266255] WARNING: CPU: 5 PID: 1 at kernel/trace/ftrace.c:987 ftrace_init_tracefs_toplevel+0x1e8/0x264 [0.266342] Modules linked in: [0.266384] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.4.0-9-generic #12-Ubuntu [0.266458] NIP: c1363430 LR: c136342c CTR: c0003fff8a00 [0.266532] REGS: c003fa67f890 TRAP: 0700 Not tainted (5.4.0-9-generic) [0.266612] MSR: 80029033 CR: 28000244 XER: 2000 [0.266694] CFAR: c013aa5c IRQMASK: 0 GPR00: c136342c c003fa67fb20 c1a4bb00 002a GPR04: 0001 02ca 300d0a7374617420 GPR08: 0003fbeb c18e3248 c18e3248 c11a3048 GPR12: c0003fff8a00 c00106c0 GPR16: GPR20: GPR24: c11afd48 c1a821e0 c19e6f90 c1464300 GPR28: c003f78fe910 c003fce14300 [0.267313] NIP [c1363430] ftrace_init_tracefs_toplevel+0x1e8/0x264 [0.267376] LR [c136342c] ftrace_init_tracefs_toplevel+0x1e4/0x264 [0.267439] Call Trace: [0.267465] [c003fa67fb20] [c136342c] ftrace_init_tracefs_toplevel+0x1e4/0x264 (unreliable) [0.267554] [c003fa67fbc0] [c136408c] tracer_init_tracefs+0x100/0x270 [0.267632] [c003fa67fc10] [c0010144] do_one_initcall+0x64/0x2b0 [0.267707] [c003fa67fce0] [c1334694] kernel_init_freeable+0x29c/0x3a0 [0.267783] [c003fa67fdb0] [c00106dc] kernel_init+0x24/0x148 [0.267846] [c003fa67fe20] [c000b648] ret_from_kernel_thread+0x5c/0x74 [0.267921] Instruction dump: [0.267961] f95f0048 f93f0050 fb83 4af4eced 6000 2c23 4182ff30 3c62ff76 [0.268038] 7fa4eb78 38634288 4add75cd 6000 <0fe0> 7f83e378 4b0c08f1 6000 [0.268119] ---[ end trace fd202afb6f2e24ec ]--- [0.268170] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.268245] Could not create tracefs 'tracing_thresh' entry [0.268295] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.268369] Could not create tracefs 'README' entry [0.268420] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.268493] Could not create tracefs 'saved_cmdlines' entry [0.268544] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.268619] Could not create tracefs 'saved_cmdlines_size' entry [0.268681] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.268756] Could not create tracefs 'saved_tgids' entry [0.271956] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.272038] Could not create tracefs 'dyn_ftrace_total_info' entry [0.272102] Lockdown: swapper/0: use of tracefs is restricted; see man kernel_lockdown.7 [0.272178] Could not create tracefs 'funcgraph-overrun' entry [0.272241] [ cut here ] [0.272292] Failed to create trace option: funcgraph-overrun [0.272297] WARNING: CPU: 5 PID: 1 at kernel/trace/trace.c:8106 create_trace_option_files+0x2f0/0x330 [0.272446] Modules linked in: [0.272484] CPU: 5 PID: 1 Comm: swapper/0 Tainted: GW 5.4.0-9-generic #12-Ubuntu [0.272573] NIP: c02acf90 LR: c02acf8c CTR: ffee [0.272647] REGS: c003fa67f840 TRAP: 0700 Tainted: GW (5.4.0-9-generic) [0.272734] MSR: 80029033 CR: 28000280 XER: 2000 [0.272812] CFAR: c013aa5c IRQMASK: 0
[Bug 1855668] Comment bridged from LTC Bugzilla
--- Comment From naynj...@ibm.com 2019-12-15 12:11 EDT--- Daniel Axtens would be performing the testing and update the results. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855668 Title: lockdown on power To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs