Root can lift kernel lockdown via USB/IP

Bug #1861238 reported by Andrey Konovalov on 2020-01-29
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Focal
Xenial
Undecided
Unassigned
Bionic
High
Tyler Hicks
Disco
High
Tyler Hicks
Eoan
High
Tyler Hicks
Focal
High
Tyler Hicks
linux-oem (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]

It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it.

Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package.

See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip

[Test Case]

$ git clone https://github.com/xairy/unlockdown.git
$ cd unlockdown/01-usbip/
$ sudo ./run.sh
$ dmesg

# Ensure there are no log entries talking about lifting lockdown:
sysrq: SysRq : Disabling Secure Boot restrictions
Lifting lockdown

# You should see a SysRq help log entry because the Alt+SysRq+X
# combination should be disabled
sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)

[Regression Potential]

Some users may see a usability regression due to the Lockdown lift sysrq combination being removed. Some users are known to disable lockdown, using the sysrq combination, in order to perform some "dangerous" operation such as writing to an MSR. It is believed that this is a small number of users but it is impossible to know for sure.

Users that rely on this functionality may need to permanently disable secure boot using 'mokutil --disable-validation'.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1861238

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Tyler Hicks (tyhicks) on 2020-01-29
information type: Public → Public Security
Andy Whitcroft (apw) on 2020-01-29
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Tyler Hicks (tyhicks) on 2020-02-07
description: updated
Tyler Hicks (tyhicks) wrote :

Thanks for the report! After speaking with the security team, we've come to an agreement that removing the lockdown lift sysrq is the best thing to do. We understand that a small amount of users may rely on that sysrq today to do things like writing to an MSR but they'll still be able to achieve a lockdown free environment by running 'mokutil --disable-validation' and rebooting.

Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
status: Confirmed → In Progress
Tyler Hicks (tyhicks) wrote :

Xenial doesn't have support for lifting lockdown features via sysrq so I'm marking its task as invalid.

Changed in linux (Ubuntu Eoan):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Disco):
status: New → In Progress
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
Changed in linux (Ubuntu Disco):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Eoan):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Xenial):
status: New → Invalid
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Tyler Hicks (tyhicks) wrote :

I've verified the fix in 4.15.0-89.89-generic. The sysrq help message is printed to the kernel log when trying to lift lockdown with the proof-of-concept and when trying to lift lockdown with alt+sysrq+x.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Tyler Hicks (tyhicks) wrote :

I've also verified the fix in 5.3.0-41.33-generic.

tags: added: verification-done-eoan
removed: verification-needed-eoan
AceLan Kao (acelankao) on 2020-02-25
no longer affects: linux-oem (Ubuntu Xenial)
no longer affects: linux-oem (Ubuntu Disco)
no longer affects: linux-oem (Ubuntu Eoan)
no longer affects: linux-oem (Ubuntu Focal)
Changed in linux-oem (Ubuntu Bionic):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers