dkms packages generate insecure MOK, allow potential lockdown bypass
Bug #1883949 reported by
Trammell Hudson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
When the first DKMS package is installed, apt will generate a machine owner key pair in /var/lib/
An attacker who can escalate to root can later use this password-less MOK.priv file to sign their own modules and bypass the lockdown protections to escalate into the kernel.
information type: | Private Security → Public |
To post a comment you must log in.
Hi,
Enabling a DKMS package does indeed allow root to sign arbitrary modules. This is part of the compromise of being able to use DKMS packages.
Since this works as intended, I am marking this bug as invalid.
If you have a requirement in your environment where you do not wish the root user to be able to sign arbitrary modules, you must not install DKMS packages and enroll the extra key.