Bug 1599197
| Summary: | kernel lockdown breaks too much for me | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jason Haar <jhaar> | ||||
| Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 28 | CC: | airlied, bskeggs, damianatorrpm, ewk, fweimer, hdegoede, ichavero, itamar, jarodwilson, jgehrcke, jglisse, john.j5live, jonathan, josef, kernel-maint, linville, mailinglists35, mchehab, mjg59, robert.hancock, steved, thomas.mey | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2018-07-09 08:49:14 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Jason Haar
2018-07-09 07:54:15 UTC
You can disable lockdown by disabling secure boot - run sudo mokutil --disable-validation and reboot, and then follow the prompts. However, please open a bug against sane-backends - drivers for USB devices shouldn't be calling ioperm(). I'll close this bug since this is working as intended from the kernel's perspective, but thanks for the report of the breakage. I ran the mokutil command from the console as root and had to enter a password? I made one up and afterwards rebooted. However - there are no "prompts"... I am running F28 as a server - non-GUI. I assume these "prompts" are GUI-only? Also the wireguard module failed to load: "modprobe: Loading of unsigned module is restricted" - so Lockdown is still in place Any more hints please :-) Jason The prompts are provided in the system firmware, so if it's a headless device you'll need to use the remote console to confirm them. Wow - I see what you mean. That did the trick. After the reboot and weird password challenges I got to disable secureboot and then it came up properly - and now I can load the wireguard kernel module :-) Thanks! Jason For the record you can disable kernel lockdown via sys-rq: sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq' sudo bash -c 'echo x > /proc/sysrq-trigger' > For the record you can disable kernel lockdown via sys-rq:
> sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq'
> sudo bash -c 'echo x > /proc/sysrq-trigger'
Thanks for the hint. Is this modification permanent / does it survive reboots? Where is this documented? Thank yoU!
Hi, no sadly above is not enough. in a running system, this enables the resume to hibernate to disk correctly, but once the system is powered on again and the kernel starts above steps needs to be done before trying to resume the image from disk again. this is why I did patch dracut a bit. see attached patch. this is just a hack, as my swap is encrypted anyway. Created attachment 1619783 [details]
disable lockdown in dracut before resume via sysrq trigger
(In reply to Thomas Meyer from comment #5) > For the record you can disable kernel lockdown via sys-rq: > sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq' > sudo bash -c 'echo x > /proc/sysrq-trigger' this no longer works in fedora 31: Nov 21 14:21:39 DESKTOP-NK8IUMU.mshome.net kernel: This sysrq operation is disabled from userspace. how do I get kernel lockdown and usable dkms on uefi secure boot *at the same time*, as a regular end user? I have edited the wiki providing some further information: https://fedoraproject.org/wiki/Secureboot You cannot disable lockdown using sysrq-trigger anymore. You have to hit Alt-SysRq-x on the physical keyboard. This is something that only a physical user is supposed to be able to do, not an automated script. Are you guys aware that lockdown can be bypassed without physical access on fedora and all distros that allow sysrq lift? Ubuntu is dropping their patches. https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238 https://github.com/xairy/unlockdown >>You cannot disable lockdown using sysrq-trigger anymore. You have to hit Alt-SysRq-x on the physical keyboard. This is something that only a physical user is supposed to be able to do, not an automated script. I have not tested if this is true or to what extend this depends on some variable. Additionally I am not using Fedora anymore. >>Are you guys aware that lockdown can be bypassed without physical access on fedora and all distros that allow sysrq lift? Ubuntu is dropping their patches. I think above comment by RH is supposed to explain that. IMHO even if a malicious program could execute sysrqs what is it supposed to do? (In reply to Damian Ivanov from comment #13) > > I think above comment by RH is supposed to explain that. Nope, above RH comment says "that only a physical user is supposed to be able to do, not an automated script". That statement was proved false: https://github.com/xairy/unlockdown#method-1-usbip > IMHO even if a malicious program could execute sysrqs what is it supposed to do? If malicious program can disable lockdown then what's the point of lockdown in first place? Preventing poor users from using their printers like in this case? That doesn't make sense and is pure security theater. I opened https://bugzilla.redhat.com/show_bug.cgi?id=1800859 |