Ubuntu
linux package

dkms packages generate insecure MOK, allow potential lockdown bypass

Bug #1883949 reported by Trammell Hudson on 2020-06-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

When the first DKMS package is installed, apt will generate a machine owner key pair in /var/lib/shim-signed/mok/ and enroll it with the shim so that the dynamically build kernel modules can be validated. A password is requested, but only to validate the public key registration on the next reboot. The private key is only protected by 0600 permissions.

An attacker who can escalate to root can later use this password-less MOK.priv file to sign their own modules and bypass the lockdown protections to escalate into the kernel.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2020-07-14:

Hi,

Enabling a DKMS package does indeed allow root to sign arbitrary modules. This is part of the compromise of being able to use DKMS packages.

Since this works as intended, I am marking this bug as invalid.

If you have a requirement in your environment where you do not wish the root user to be able to sign arbitrary modules, you must not install DKMS packages and enroll the extra key.

Changed in linux (Ubuntu):
status:	New → Invalid

Trammell Hudson (trmm) on 2020-07-14

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

dkms packages generate insecure MOK, allow potential lockdown bypass

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
linux package