kernel does not honor mokx revocations, allowing kexec lockdown bypass

Bug #1918960 reported by Steve Beattie
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

All kernels do not honor mokx certificate revocations, and thus does not honor the 2012 certificate revocation, nor the post 2017 certificate signed kernels that allow acpi bypass. This can allow bypass of lockdown restrictions.

CVE References

Steve Beattie (sbeattie)
summary: - placeholder
+ kernel does not honor mokx revocations, allowing kexec lockdown bypass
description: updated
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1918960

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Steve Beattie (sbeattie) wrote :

https://<email address hidden>/ is still not upstream.

https://<email address hidden>/ may also be worth watching.

Steve Beattie (sbeattie)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :

This has been addressed in Ubuntu kernels derived from upstream 5.4 and later. 4.15 kernels and older still need to be addressed.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.