Bug 1638874 - efi-lockdown status needs to be exposed to userspace
Summary: efi-lockdown status needs to be exposed to userspace
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1805299
TreeView+ depends on / blocked
 
Reported: 2018-10-12 16:56 UTC by Frank Ch. Eigler
Modified: 2020-06-29 17:23 UTC (History)
21 users (show)

Fixed In Version: kernel-5.8.0-0.rc1.1.fc33, kernel-5.7.5-200.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1805299 (view as bug list)
Environment:
Last Closed: 2020-06-29 17:23:09 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1599197 'unspecified' 'CLOSED' 'kernel lockdown breaks too much for me' 2019-11-21 16:54:05 UTC

Internal Links: 1599197

Description Frank Ch. Eigler 2018-10-12 16:56:51 UTC 
In order for userspace code to know that it must sign OOT modules, the secureboot / sig-enforce / lockdown mechanism's status needs to be exposed to it.  Previous codesets exported a /sys/ or /proc/ file exposing this extra state, e.g. as /sys/kernel/security/securelevel, but efi-lockdown.patch appears to lack this.  This absence kills programs such as systemtap that can deal with secureboot, but only if they know they need to.

Please add (back) a way for unprivileged userspace to know whether this kernel-lockdown mode is in effect.
Comment 1 Frank Ch. Eigler 2020-02-19 15:05:07 UTC 
see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552

I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y now, a /sys/kernel/security/lockdown file exists, but is not readable to unprivileged users.  If it were readable, we could work with it.
Comment 2 Josh Boyer 2020-02-19 17:40:48 UTC 
(In reply to Frank Ch. Eigler from comment #1)
> see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552
> 
> I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
> now, a /sys/kernel/security/lockdown file exists, but is not readable to
> unprivileged users.  If it were readable, we could work with it.

I really can't help here.  I wrote the initial patches in like the Fedora 21 timeframe.  They have morphed significantly since then, and I have no idea what the state of the code is.  Matthew Garrett or one of the other Fedora kernel maintainers are in a better spot than I am to help.
Comment 3 Jeremy Cline 2020-02-19 21:44:37 UTC 
Looks like an easy fix, I'll see about sending a patch upstream.
Comment 6 Vladis Dronov 2020-06-29 17:10:48 UTC 
in the upstream: 60cf7c5ed5f7 ("lockdown: Allow unprivileged users to see lockdown status")
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60cf7c5ed5f7
Comment 7 Jeremy Cline 2020-06-29 17:23:09 UTC 
Indeed, and it's also in 5.7.5+.
Note You need to log in before you can comment on or make changes to this bug.