test_410_config_lock_down_kernel in ubuntu_kernel_security test failed on B/C/D KVM

Bug #1811981 reported by Po-Hsu Lin on 2019-01-16
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Undecided
Unassigned
ubuntu-kernel-tests
Undecided
Po-Hsu Lin
linux-kvm (Ubuntu)
Undecided
Po-Hsu Lin
Bionic
Undecided
Po-Hsu Lin
Cosmic
Undecided
Po-Hsu Lin
Disco
Undecided
Po-Hsu Lin

Bug Description

== SRU Justification ==
Security team requires the CONFIG_LOCK_DOWN_KERNEL to be enabled in all of our kernels.

== Test ==
Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1811981-kvm-lockdown/
This issue can be verified with test_410_config_lock_down_kernel
test from q-r-t, the test will pass with the patched kernel.

== Regression Potential ==
Low, we already have this config enabled in the generic kernel.

== Original bug report ==
Kernel Version: 4.15.0-44.47

This test has passed on s390x / AMD64 / ARM64 / i386, but failed with Power8 and Power9

FAIL: test_410_config_lock_down_kernel (__main__.KernelSecurityConfigTest)
Ensure kernel efi lockdown is enabled
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-kernel-security.py", line 2668, in test_410_config_lock_down_kernel
    self.assertKernelConfig('LOCK_DOWN_KERNEL', expected)
  File "./test-kernel-security.py", line 207, in assertKernelConfig
    self.assertKernelConfigSet(name)
  File "./test-kernel-security.py", line 194, in assertKernelConfigSet
    '%s option was expected to be set in the kernel config' % name)
AssertionError: LOCK_DOWN_KERNEL option was expected to be set in the kernel config

Po-Hsu Lin (cypressyew) on 2019-01-16
tags: added: bionic ppc64el
description: updated

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1811981

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Steve Beattie (sbeattie) wrote :

Po-Hsu, thanks for the report. I'm not sure the lock down kernel config makes sense for ppc64el and s390x, and the qa-regression-testing script should be updated to reflect that.

The linux-kvm case is possibly worth adjusting the config, I need to discuss that more with the Security Team.

This testcase also fails with linux-kvm for Cosmic.

Po-Hsu Lin (cypressyew) wrote :

Didn't see this for ppc64el on the latest 4.15 bionic kernel (4.15.0-45)

Po-Hsu Lin (cypressyew) wrote :

I think the fix is here for the PowerPC:
https://git.launchpad.net/qa-regression-testing/commit/?id=2082aec714a3a053664082a747b9c166b398cc4f

So this issue can be called fixed in the qa-regression-testing suite.

We will address the kernel configs here.

Changed in qa-regression-testing:
status: New → Fix Released
Po-Hsu Lin (cypressyew) wrote :

Hello Steve,

regarding you comment #3:

    The linux-kvm case is possibly worth adjusting the config, I need to discuss that more with the Security Team.

Do we need to enable this on the KVM kernel?
Thanks.

no longer affects: linux (Ubuntu)
Po-Hsu Lin (cypressyew) on 2019-05-24
summary: test_410_config_lock_down_kernel in ubuntu_kernel_security test failed
- on Bionic with PowerPC
+ on B/C KVM
Po-Hsu Lin (cypressyew) on 2019-06-10
no longer affects: linux (Ubuntu Bionic)
no longer affects: linux (Ubuntu Cosmic)
summary: test_410_config_lock_down_kernel in ubuntu_kernel_security test failed
- on B/C KVM
+ on B/C/D KVM
Po-Hsu Lin (cypressyew) on 2019-06-10
Changed in ubuntu-kernel-tests:
status: New → In Progress
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu Bionic):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu Cosmic):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu Disco):
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → In Progress
Changed in linux-kvm (Ubuntu Cosmic):
status: New → In Progress
Changed in linux-kvm (Ubuntu Bionic):
status: New → In Progress
Changed in linux-kvm (Ubuntu):
status: New → In Progress
Po-Hsu Lin (cypressyew) on 2019-06-10
description: updated
Po-Hsu Lin (cypressyew) wrote :
tags: added: amd64 cosmic disco ubuntu-kernel-security
removed: ppc64el
Changed in linux-kvm (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Cosmic):
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Disco):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2019-07-16
tags: added: ubuntu-qrt-kernel-security
removed: ubuntu-kernel-security
Steve Beattie (sbeattie) wrote :

I can confirm that the CONFIG_LOCK_DOWN_KERNEL config is enabled in the 4.15.0-1039.39 linux-kvm kernel in bionic-proposed. Thanks!

tags: added: verification-done-bionic
Steve Beattie (sbeattie) wrote :

I can confirm that the CONFIG_LOCK_DOWN_KERNEL config is enabled in the 5.0.0-1011.12 linux-kvm kernel in disco-proposed. Thanks!

tags: added: verifiction-done-disco
Po-Hsu Lin (cypressyew) on 2019-07-19
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (11.6 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1039.39

---------------
linux-kvm (4.15.0-1039.39) bionic; urgency=medium

  * linux-kvm: 4.15.0-1039.39 -proposed tracker (LP: #1834940)

  * q-r-t security test wants SCHED_STACK_END_CHECK to be enabled in KVM kernels
    (LP: #1812159)
    - [Config]: enable SCHED_STACK_END_CHECK

  * test_410_config_lock_down_kernel in ubuntu_kernel_security test failed on
    B/C/D KVM (LP: #1811981)
    - [Config]: enable CONFIG_LOCK_DOWN_KERNEL

  [ Ubuntu: 4.15.0-55.60 ]

  * linux: 4.15.0-55.60 -proposed tracker (LP: #1834954)
  * Request backport of ceph commits into bionic (LP: #1834235)
    - ceph: use atomic_t for ceph_inode_info::i_shared_gen
    - ceph: define argument structure for handle_cap_grant
    - ceph: flush pending works before shutdown super
    - ceph: send cap releases more aggressively
    - ceph: single workqueue for inode related works
    - ceph: avoid dereferencing invalid pointer during cached readdir
    - ceph: quota: add initial infrastructure to support cephfs quotas
    - ceph: quota: support for ceph.quota.max_files
    - ceph: quota: don't allow cross-quota renames
    - ceph: fix root quota realm check
    - ceph: quota: support for ceph.quota.max_bytes
    - ceph: quota: update MDS when max_bytes is approaching
    - ceph: quota: add counter for snaprealms with quota
    - ceph: avoid iput_final() while holding mutex or in dispatch thread
  * QCA9377 isn't being recognized sometimes (LP: #1757218)
    - SAUCE: USB: Disable USB2 LPM at shutdown
  * hns: fix ICMP6 neighbor solicitation messages discard problem (LP: #1833140)
    - net: hns: fix ICMP6 neighbor solicitation messages discard problem
    - net: hns: fix unsigned comparison to less than zero
  * Fix occasional boot time crash in hns driver (LP: #1833138)
    - net: hns: Fix probabilistic memory overwrite when HNS driver initialized
  * use-after-free in hns_nic_net_xmit_hw (LP: #1833136)
    - net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw()
  * hns: attempt to restart autoneg when disabled should report error
    (LP: #1833147)
    - net: hns: Restart autoneg need return failed when autoneg off
  * systemd 237-3ubuntu10.14 ADT test failure on Bionic ppc64el (test-seccomp)
    (LP: #1821625)
    - powerpc: sys_pkey_alloc() and sys_pkey_free() system calls
    - powerpc: sys_pkey_mprotect() system call
  * [UBUNTU] pkey: Indicate old mkvp only if old and curr. mkvp are different
    (LP: #1832625)
    - pkey: Indicate old mkvp only if old and current mkvp are different
  * [UBUNTU] kernel: Fix gcm-aes-s390 wrong scatter-gather list processing
    (LP: #1832623)
    - s390/crypto: fix gcm-aes-s390 selftest failures
  * System crashes on hot adding a core with drmgr command (4.15.0-48-generic)
    (LP: #1833716)
    - powerpc/numa: improve control of topology updates
    - powerpc/numa: document topology_updates_enabled, disable by default
  * Kernel modules generated incorrectly when system is localized to a non-
    English language (LP: #1828084)
    - scripts: override locale from environment when running recordmcount.pl
  * [UBUNTU] kernel: Fix wrong dispatching for control domain CPRBs
  ...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (58.0 KiB)

This bug was fixed in the package linux-kvm - 5.0.0-1011.12

---------------
linux-kvm (5.0.0-1011.12) disco; urgency=medium

  * linux-kvm: 5.0.0-1011.12 -proposed tracker (LP: #1834892)

  * q-r-t security test wants SCHED_STACK_END_CHECK to be enabled in KVM kernels
    (LP: #1812159)
    - [Config]: enable SCHED_STACK_END_CHECK

  * PAGE_POISONING / PAGE_POISONING_NO_SANITY / PAGE_POISONING_ZERO option was
    expected to be set in C-KVM (LP: #1812624)
    - [Config]: enable PAGE_POISONING, PAGE_POISONING_NO_SANITY,
      PAGE_POISONING_ZERO

  * test_410_config_lock_down_kernel in ubuntu_kernel_security test failed on
    B/C/D KVM (LP: #1811981)
    - [Config]: enable CONFIG_LOCK_DOWN_KERNEL

  [ Ubuntu: 5.0.0-21.22 ]

  * linux: 5.0.0-21.22 -proposed tracker (LP: #1834902)
  * Disco update: 5.0.15 upstream stable release (LP: #1834529)
    - net: stmmac: Use bfsize1 in ndesc_init_rx_desc
    - Drivers: hv: vmbus: Remove the undesired put_cpu_ptr() in hv_synic_cleanup()
    - ubsan: Fix nasty -Wbuiltin-declaration-mismatch GCC-9 warnings
    - staging: greybus: power_supply: fix prop-descriptor request size
    - staging: wilc1000: Avoid GFP_KERNEL allocation from atomic context.
    - staging: most: cdev: fix chrdev_region leak in mod_exit
    - staging: most: sound: pass correct device when creating a sound card
    - ASoC: tlv320aic3x: fix reset gpio reference counting
    - ASoC: hdmi-codec: fix S/PDIF DAI
    - ASoC: stm32: sai: fix iec958 controls indexation
    - ASoC: stm32: sai: fix exposed capabilities in spdif mode
    - ASoC: stm32: sai: fix race condition in irq handler
    - ASoC:soc-pcm:fix a codec fixup issue in TDM case
    - ASoC:hdac_hda:use correct format to setup hda codec
    - ASoC:intel:skl:fix a simultaneous playback & capture issue on hda platform
    - ASoC: dpcm: prevent snd_soc_dpcm use after free
    - ASoC: nau8824: fix the issue of the widget with prefix name
    - ASoC: nau8810: fix the issue of widget with prefixed name
    - ASoC: samsung: odroid: Fix clock configuration for 44100 sample rate
    - ASoC: rt5682: Check JD status when system resume
    - ASoC: rt5682: fix jack type detection issue
    - ASoC: rt5682: recording has no sound after booting
    - ASoC: wm_adsp: Add locking to wm_adsp2_bus_error
    - clk: meson-gxbb: round the vdec dividers to closest
    - ASoC: stm32: dfsdm: manage multiple prepare
    - ASoC: stm32: dfsdm: fix debugfs warnings on entry creation
    - ASoC: cs4270: Set auto-increment bit for register writes
    - ASoC: dapm: Fix NULL pointer dereference in snd_soc_dapm_free_kcontrol
    - drm/omap: hdmi4_cec: Fix CEC clock handling for PM
    - IB/hfi1: Clear the IOWAIT pending bits when QP is put into error state
    - IB/hfi1: Eliminate opcode tests on mr deref
    - IB/hfi1: Fix the allocation of RSM table
    - MIPS: KGDB: fix kgdb support for SMP platforms.
    - ASoC: tlv320aic32x4: Fix Common Pins
    - drm/mediatek: Fix an error code in mtk_hdmi_dt_parse_pdata()
    - perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
    - perf/x86/intel: Initialize TFA MSR
    - linux/kernel.h: Use parentheses around argument in u64_to_user_ptr()
    - iov_iter: F...

Changed in linux-kvm (Ubuntu Disco):
status: Fix Committed → Fix Released
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers