Root can lift kernel lockdown via USB/IP
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Tyler Hicks | ||
Xenial |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
High
|
Tyler Hicks | ||
Disco |
Won't Fix
|
High
|
Tyler Hicks | ||
Eoan |
Fix Released
|
High
|
Tyler Hicks | ||
Focal |
Fix Released
|
High
|
Tyler Hicks | ||
linux-oem (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it.
Ubuntu's kernels have USB/IP enabled (CONFIG_
See the PoC here: https:/
[Test Case]
$ git clone https:/
$ cd unlockdown/
$ sudo ./run.sh
$ dmesg
# Ensure there are no log entries talking about lifting lockdown:
sysrq: SysRq : Disabling Secure Boot restrictions
Lifting lockdown
# You should see a SysRq help log entry because the Alt+SysRq+X
# combination should be disabled
sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-
[Regression Potential]
Some users may see a usability regression due to the Lockdown lift sysrq combination being removed. Some users are known to disable lockdown, using the sysrq combination, in order to perform some "dangerous" operation such as writing to an MSR. It is believed that this is a small number of users but it is impossible to know for sure.
Users that rely on this functionality may need to permanently disable secure boot using 'mokutil --disable-
CVE References
information type: | Public → Public Security |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
description: | updated |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
no longer affects: | linux-oem (Ubuntu Xenial) |
no longer affects: | linux-oem (Ubuntu Disco) |
no longer affects: | linux-oem (Ubuntu Eoan) |
no longer affects: | linux-oem (Ubuntu Focal) |
Changed in linux-oem (Ubuntu Bionic): | |
status: | New → Fix Committed |
Changed in linux-oem (Ubuntu): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1861238
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.