Restrict xmon to read-only-mode if kernel is locked down
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
The Ubuntu-power-systems project |
Fix Released
|
High
|
Ubuntu on IBM Power Systems Bug Triage | ||
linux (Ubuntu) |
Fix Released
|
High
|
Frank Heimes |
Bug Description
This is a spin off of LP 1855668 (see comment #11 there:)
Please could you pick up (in addition to the issue still pending) commit
69393cb03ccd ("powerpc/xmon: Restrict when kernel is locked down").
From the pull-request that included it, the commit does the following:
- A change to xmon (our crash handler / pseudo-debugger) to restrict
it to read-only mode when the kernel is lockdown'ed, otherwise it's
trivial to drop into xmon and modify kernel data, such as the
lockdown state.
To exploit this you'd need to boot with command line including 'xmon=rw', as xmon isn't read-write by default on the Focal kernel, but that's not exactly a challenge. I have used this to drop down from lockdown=
CVE References
Changed in ubuntu-power-systems: | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) |
Changed in linux (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
assignee: | nobody → Frank Heimes (fheimes) |
summary: |
- Restrict ppc64el xmon to read-only-mode if kernel is locked down + Restrict xmon to read-only-mode if kernel is locked down |
tags: |
added: verification-done-focal removed: verification-needed-focal |
Changed in ubuntu-power-systems: | |
status: | Fix Committed → Fix Released |
Patch request submitted: /lists. ubuntu. com/archives/ kernel- team/2020- February/ thread. html#107526
https:/
changing status to 'In Progress'.