Bug 1638874 - efi-lockdown status needs to be exposed to userspace
Summary: efi-lockdown status needs to be exposed to userspace
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1805299
TreeView+ depends on / blocked
 
Reported: 2018-10-12 16:56 UTC by Frank Ch. Eigler
Modified: 2020-06-29 17:23 UTC (History)
21 users (show)

Fixed In Version: kernel-5.8.0-0.rc1.1.fc33, kernel-5.7.5-200.fc32
Clone Of:
: 1805299 (view as bug list)
Environment:
Last Closed: 2020-06-29 17:23:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1599197 0 unspecified CLOSED kernel lockdown breaks too much for me 2021-02-22 00:41:40 UTC

Internal Links: 1599197

Description Frank Ch. Eigler 2018-10-12 16:56:51 UTC
In order for userspace code to know that it must sign OOT modules, the secureboot / sig-enforce / lockdown mechanism's status needs to be exposed to it.  Previous codesets exported a /sys/ or /proc/ file exposing this extra state, e.g. as /sys/kernel/security/securelevel, but efi-lockdown.patch appears to lack this.  This absence kills programs such as systemtap that can deal with secureboot, but only if they know they need to.

Please add (back) a way for unprivileged userspace to know whether this kernel-lockdown mode is in effect.

Comment 1 Frank Ch. Eigler 2020-02-19 15:05:07 UTC
see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552

I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y now, a /sys/kernel/security/lockdown file exists, but is not readable to unprivileged users.  If it were readable, we could work with it.

Comment 2 Josh Boyer 2020-02-19 17:40:48 UTC
(In reply to Frank Ch. Eigler from comment #1)
> see also https://github.com/iovisor/bcc/issues/2565#issuecomment-584476552
> 
> I see with 5.4 era f31 kernels, where CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y
> now, a /sys/kernel/security/lockdown file exists, but is not readable to
> unprivileged users.  If it were readable, we could work with it.

I really can't help here.  I wrote the initial patches in like the Fedora 21 timeframe.  They have morphed significantly since then, and I have no idea what the state of the code is.  Matthew Garrett or one of the other Fedora kernel maintainers are in a better spot than I am to help.

Comment 3 Jeremy Cline 2020-02-19 21:44:37 UTC
Looks like an easy fix, I'll see about sending a patch upstream.

Comment 6 Vladis Dronov 2020-06-29 17:10:48 UTC
in the upstream: 60cf7c5ed5f7 ("lockdown: Allow unprivileged users to see lockdown status")
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60cf7c5ed5f7

Comment 7 Jeremy Cline 2020-06-29 17:23:09 UTC
Indeed, and it's also in 5.7.5+.


Note You need to log in before you can comment on or make changes to this bug.