Bug 1638874

Summary: efi-lockdown status needs to be exposed to userspace
Product: [Fedora] Fedora Reporter: Frank Ch. Eigler <fche>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: airlied, bskeggs, dhowells, ewk, hdegoede, ichavero, itamar, jarodwilson, jcline, jglisse, john.j5live, jonathan, josef, jwboyer, kernel-maint, linville, mchehab, mjg59, smakarov, steved, vdronov
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: kernel-5.8.0-0.rc1.1.fc33, kernel-5.7.5-200.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1805299 (view as bug list) Environment:
Last Closed: 2020-06-29 17:23:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1805299    

Description Frank Ch. Eigler 2018-10-12 16:56:51 UTC 
In order for userspace code to know that it must sign OOT modules, the secureboot / sig-enforce / lockdown mechanism's status needs to be exposed to it.  Previous codesets exported a /sys/ or /proc/ file exposing this extra state, e.g. as /sys/kernel/security/securelevel, but efi-lockdown.patch appears to lack this.  This absence kills programs such as systemtap that can deal with secureboot, but only if they know they need to.

Please add (back) a way for unprivileged userspace to know whether this kernel-lockdown mode is in effect.
Comment 1 Frank Ch. Eigler 2020-02-19 15:05:07 UTC 
see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552

I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y now, a /sys/kernel/security/lockdown file exists, but is not readable to unprivileged users.  If it were readable, we could work with it.
Comment 2 Josh Boyer 2020-02-19 17:40:48 UTC 
(In reply to Frank Ch. Eigler from comment #1)
> see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552
> 
> I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
> now, a /sys/kernel/security/lockdown file exists, but is not readable to
> unprivileged users.  If it were readable, we could work with it.

I really can't help here.  I wrote the initial patches in like the Fedora 21 timeframe.  They have morphed significantly since then, and I have no idea what the state of the code is.  Matthew Garrett or one of the other Fedora kernel maintainers are in a better spot than I am to help.
Comment 3 Jeremy Cline 2020-02-19 21:44:37 UTC 
Looks like an easy fix, I'll see about sending a patch upstream.
Comment 6 Vladis Dronov 2020-06-29 17:10:48 UTC 
in the upstream: 60cf7c5ed5f7 ("lockdown: Allow unprivileged users to see lockdown status")
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60cf7c5ed5f7
Comment 7 Jeremy Cline 2020-06-29 17:23:09 UTC 
Indeed, and it's also in 5.7.5+.