Ubuntu
linux package

xenial upgrade of lockdown patches dropped ioport denial

Bug #1962315 reported by Dimitri John Ledkov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Committed
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned

Bug Description

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=cc223b88b8e59fca362b426b0cccfe580fd8a68e

Has been shipped from Ubuntu-4.4.0-18.34 until Ubuntu-4.4.0-186.216

As part of an upgrade to newer edition of lockdown patches it was reverted

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=009ff27aac7cf36458a035122ecb9cfd4e4d073a

But equivalent functionality does not appear to have been applied.

This was done as part of lockdown patches updates - see

BugLink: https://bugs.launchpad.net/bugs/1884159

https://lists.ubuntu.com/archives/kernel-team/2020-June/111301.html

Now audit is need to be done w.r.t. those patch series across all the kernels they were applied to ensure nothing else has regressed, etc.

See original description
Dimitri John Ledkov (xnox)
summary: - TBD
+ xenial upgrade of lockdown patches dropped ioport denial
Dimitri John Ledkov (xnox)
description: updated
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Things to inspect if

v5.2..45893a0abee6b5fd52994a3a1095735aeaec472b

are all backported correctly, in xenial and bionic.

Revision history for this message
Steve Langasek (vorlon) wrote :

What is the impact of this bug? Does it compromise SecureBoot (compromise prior to ExitBootServices) or only higher-levels of assurance?

I believe we have not deployed the newer signing keys for ESM. We should make sure this is fixed for xenial before we do so.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Is this currently on the kernel team's todo-list? Thanks

Revision history for this message
Kai-Heng Feng (kaihengfeng) wrote :

FWIW, the ioport denial caused a regression for one of our customer. As a result, the customer decided to write a kernel driver as Matthew suggested.

Full discussion here:
https://lore.kernel<email address hidden>/

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> What is the impact of this bug? Does it compromise SecureBoot (compromise prior to ExitBootServices) or only higher-levels of assurance?

I believe it is only higher-levels of assurance that are affected. And shim-review board would like to enforce that kernels signed by keys trusted by signed shims must have up to date levels of lockdown features, which in Ubuntu kernels have regressed.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> I believe we have not deployed the newer signing keys for ESM. We should make sure this is fixed for xenial before we do so.

I do not believe we can rotate xenial GA kernel to UA2021v1 key as is, because it has no support for built-in revoked keys. Which imho is required for us to allow new shim to verify kernels.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

https://lists<email address hidden>/thread/GNGCNHS3AACNAC2LPZD2YIIDRKKYXKO3/

Changed in linux (Ubuntu):
status: New → In Progress
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Patch applied.

Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Xenial):
status: New → Fix Released
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.