** Description changed: + [Impact] + It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it. Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package. See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip + + [Test Case] + + $ git clone https://github.com/xairy/unlockdown.git + $ cd unlockdown/01-usbip/ + $ sudo ./run.sh + $ dmesg + + # Ensure there are no log entries talking about lifting lockdown: + sysrq: SysRq : Disabling Secure Boot restrictions + Lifting lockdown + + # You should see a SysRq help log entry because the Alt+SysRq+X + # combination should be disabled + sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) + + [Regression Potential] + + Some users may see a usability regression due to the Lockdown lift sysrq + combination being removed. Some users are known to disable lockdown, + using the sysrq combination, in order to perform some "dangerous" + operation such as writing to an MSR. It is believed that this is a small + number of users but it is impossible to know for sure. + + Users that rely on this functionality may need to permanently disable + secure boot using 'mokutil --disable-validation'.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
