Bug 1638874
Summary: | efi-lockdown status needs to be exposed to userspace | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Frank Ch. Eigler <fche> | |
Component: | kernel | Assignee: | Kernel Maintainer List <kernel-maint> | |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | airlied, bskeggs, dhowells, ewk, hdegoede, ichavero, itamar, jarodwilson, jcline, jglisse, john.j5live, jonathan, josef, jwboyer, kernel-maint, linville, mchehab, mjg59, smakarov, steved, vdronov | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | kernel-5.8.0-0.rc1.1.fc33, kernel-5.7.5-200.fc32 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1805299 (view as bug list) | Environment: | ||
Last Closed: | 2020-06-29 17:23:09 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1805299 |
Description
Frank Ch. Eigler
2018-10-12 16:56:51 UTC
see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552 I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y now, a /sys/kernel/security/lockdown file exists, but is not readable to unprivileged users. If it were readable, we could work with it. (In reply to Frank Ch. Eigler from comment #1) > see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552 > > I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y > now, a /sys/kernel/security/lockdown file exists, but is not readable to > unprivileged users. If it were readable, we could work with it. I really can't help here. I wrote the initial patches in like the Fedora 21 timeframe. They have morphed significantly since then, and I have no idea what the state of the code is. Matthew Garrett or one of the other Fedora kernel maintainers are in a better spot than I am to help. Looks like an easy fix, I'll see about sending a patch upstream. in the upstream: 60cf7c5ed5f7 ("lockdown: Allow unprivileged users to see lockdown status") https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60cf7c5ed5f7 Indeed, and it's also in 5.7.5+. |