1698298 – Unsigned kernel modules may be inserted with kernel lockdown enabled

Bug 1698298 - Unsigned kernel modules may be inserted with kernel lockdown enabled

Summary: Unsigned kernel modules may be inserted with kernel lockdown enabled

Keywords:
Status:	CLOSED DUPLICATE of bug 1696671
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-10 04:20 UTC by Benjamin
Modified:	2019-05-01 00:48 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-05-01 00:48:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Linux kernel module for testing (199 bytes, text/x-csrc) 2019-04-10 04:20 UTC, Benjamin	no flags	Details
Makefile for module (155 bytes, text/plain) 2019-04-10 04:22 UTC, Benjamin	no flags	Details
kernel log (84.83 KB, text/plain) 2019-04-10 04:24 UTC, Benjamin	no flags	Details
View All

Description Benjamin 2019-04-10 04:20:19 UTC

Created attachment 1554054 [details]
Linux kernel module for testing

1. Please describe the problem:
The kernel allows unsigned modules to be loaded with kernel lockdown enabled (this happens regardless of whether lockdown is triggered by EFI secure boot or by "lockdown=1" on the kernel command line).

2. What is the Version-Release number of the kernel:
5.0.6-200.fc29.x86_64

3. Did it work previously in Fedora? If so, what kernel version did the issue
   *first* appear?  Old kernels are available for download at
   https://koji.fedoraproject.org/koji/packageinfo?packageID=8 :
The kernel blocks the loading of unsigned kernel modules (as expected) in 4.20.16-200.fc29.x86_64. I first observed the issue in 5.0.3-200.fc29.x86_64.

4. Can you reproduce this issue? If so, please provide the steps to reproduce
   the issue below:
Download hello.c and Makefile to a temporary folder, run ``make all`` then ``insmod hello.ko``

5. Does this problem occur with the latest Rawhide kernel? To install the
   Rawhide kernel, run ``sudo dnf install fedora-repos-rawhide`` followed by
   ``sudo dnf update --enablerepo=rawhide kernel``:


6. Are you running any modules that not shipped with directly Fedora's kernel?:
Yes.

7. Please attach the kernel logs. You can get the complete kernel log
   for a boot with ``journalctl --no-hostname -k > dmesg.txt``. If the
   issue occurred on a previous boot, use the journalctl ``-b`` flag.

Comment 1 Benjamin 2019-04-10 04:22:07 UTC

Created attachment 1554055 [details]
Makefile for module

Comment 2 Benjamin 2019-04-10 04:24:03 UTC

Created attachment 1554056 [details]
kernel log

Comment 3 Benjamin 2019-04-10 06:00:42 UTC

Could not test with rawhide kernel because the module could not be built (I couldn't install kernel-devel, so make failed in the absence of necessary files)

Comment 4 Benjamin 2019-05-01 00:48:32 UTC


*** This bug has been marked as a duplicate of bug 1696671 ***

Note You need to log in before you can comment on or make changes to this bug.