dkms packages generate insecure MOK, allow potential lockdown bypass

Bug #1883949 reported by Trammell Hudson on 2020-06-17
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

When the first DKMS package is installed, apt will generate a machine owner key pair in /var/lib/shim-signed/mok/ and enroll it with the shim so that the dynamically build kernel modules can be validated. A password is requested, but only to validate the public key registration on the next reboot. The private key is only protected by 0600 permissions.

An attacker who can escalate to root can later use this password-less MOK.priv file to sign their own modules and bypass the lockdown protections to escalate into the kernel.

Marc Deslauriers (mdeslaur) wrote :

Hi,

Enabling a DKMS package does indeed allow root to sign arbitrary modules. This is part of the compromise of being able to use DKMS packages.

Since this works as intended, I am marking this bug as invalid.

If you have a requirement in your environment where you do not wish the root user to be able to sign arbitrary modules, you must not install DKMS packages and enroll the extra key.

Changed in linux (Ubuntu):
status: New → Invalid
Trammell Hudson (trmm) on 2020-07-14
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers