Kernel lockdown in 4.17?
In theory, the secure-boot chain of trust ensures that the system will never run untrusted code in kernel mode. On current Linux systems, though, the root user (or any other user with sufficient capabilities) can do exactly that. For anybody who wants to use secure boot to ensure the integrity of their systems (or, perhaps, to prevent their customers from truly owning the system), this hole defeats the purpose of the whole exercise. Various kernel lockdown patches have been proposed over the years (LWN first covered them in 2012), but these patches have run into two types of criticism: (1) restricting what root can do goes against the design of Unix-like systems, and (2) locking down the system in this way still does not solve the problem.
Interest in this kind of lockdown persists, though, and the lockdown patches have been quietly maintained and improved over the years. These patches were last publicly posted in November. They were added to linux-next at the beginning of March, and found their way into the security tree on March 31. Security maintainer James Morris has not yet pushed the lockdown patches to Torvalds, but has indicated his intent to do so in the near future. So, unless Torvalds objects, it would appear that kernel lockdown will be a part of the 4.17 release.
How to lock down the kernel
The series of patches that implements this feature can be seen on kernel.org. It starts with a patch adding a configuration option for the lockdown feature and a kernel_is_locked_down() function to test whether lockdown is in effect. There is a lockdown boot parameter that can be used to enable lockdown, but lockdown also happens automatically if the feature is enabled and UEFI secure boot is detected. After this patch, the mode is implemented but it doesn't actually lock anything down yet.
No sooner was the lockdown option added than somebody wanted to be able to turn it off. Normally, the ability to defeat this kind of protection would be considered undesirable. In this case, it can only be done from the system console with the magic SysRq-x key sequence.
After that, the real restrictions are added. In lockdown mode, the kernel will refuse to load modules unless they either have a recognized signature or they can pass appraisal from the integrity measurement architecture (IMA) subsystem. Access to /dev/mem and /dev/kmem (which is already heavily restricted on most systems) is disabled entirely. /proc/kcore, which can be used to pull cryptographic keys from the kernel, is disabled.
Access to I/O ports via /dev/port is disallowed lest it be used to convince a device to overwrite important memory via a DMA operation. There are other places where hardware might be used to circumvent lockdown. To try to prevent that, any sort of access to PCI bus operations or parameters (the location of the base address register, for example) must be disabled. The ioperm() and iopl() system calls are disabled, as is direct access to x86 model-specific registers (MSRs).
The ACPI custom method mechanism is also capable of overwriting memory, so it is disabled. There are a few other hazards in ACPI, including the acpi_rsdp command-line parameter, which can be used to change the RSDP structure. The ACPI table override and APEI error injection mechanisms are turned off as well.
None of these changes will help in the case where a specific device driver can be used to overwrite memory. For example, the "eata" SCSI driver has a set of command-line options that control many of its hardware-level parameters; those must be disabled when lockdown is in effect. If anybody is trying to lock down a system that has PCMCIA hardware (younger readers can ask their parents about this), the ability to replace the card information structure (CIS) must be disabled. The serial-port TIOCSSERIAL ioctl() operation is problematic, since it can change I/O port settings. Many other hardware-controlling command-line parameters were annotated in 2016; under kernel lockdown they become unavailable.
There are a number of restrictions on the kexec mechanism (used to boot a new kernel directly from a running kernel). If the root user can switch to an arbitrary kernel, the system is clearly not locked down, so that must be prevented. The kexec_load() system call is disabled entirely; kexec_file_load(), which can enforce signatures, is still allowed. A mechanism has been added to ensure that the newly loaded kernel retains the secure-boot mode. Once again, IMA can be used as a substitute for signature verification.
"Hibernation" is the process of saving a snapshot of system memory to disk and powering down the system, with the intent of resuming from that snapshot in the future. There is also a variant called "uswsusp" where most of the work is done in user space. In either case, the kernel currently lacks a mechanism to ensure that the image it resumes from is the same as the one it saved at hibernation time. In other words, some clever editing of the hibernation image could be used to bypass lockdown. That is addressed by disabling hibernation and uswsusp entirely.
This whole exercise will be in vain, though, if an attacker is able to install kprobes into the running kernel, so that feature, too, is turned off. Some BPF operations that can read memory are also disabled. These changes will adversely affect a number of tracing use cases. The debugfs filesystem is disabled entirely on locked-down systems.
A secure system?
The end result of all this work is intended to be a kernel that cannot be subverted even by a privileged user. As is often the case with such features, kernel lockdown is a two-edged sword. A cloud-hosting provider has a strong incentive to ensure that its operating software has not been compromised, but that is also true of a provider of Linux-based consumer-electronics gadgets that simply wants to preserve a rent-seeking business model. It is hard to protect one type of system without protecting the other.
It is also hard to imagine a scenario where the lockdown feature provides
complete protection. If nothing else, there must be a lot of device
drivers that can still be used to get around restrictions. But proponents
of the lockdown feature will argue that it raises the bar considerably, and
that is generally the best that can be hoped for in this world. The one
bar that still has to be overcome, though, is acceptance into the
mainline. Torvalds has not yet expressed an opinion on this patch set. It
would seem that much of the opposition to its merging has been overcome (or
worn down), though, so merging into the mainline for 4.17 seems probable.
| Index entries for this article | |
|---|---|
| Kernel | Security/UEFI secure boot |
| Security | Linux kernel |
| Security | Secure boot |
Posted Apr 2, 2018 21:15 UTC (Mon)
by fratti (guest, #105722)
[Link] (4 responses)
What is it about Linux and hating hibernation in so many different ways? I feel like kernel developers want me to feel ashamed for using a laptop.
>but that is also true of a provider of Linux-based consumer-electronics gadgets that simply wants to preserve a rent-seeking business model.
That could be said of any security measure. Imagine a world where people use memory safe languages for systems programming; we couldn't run Linux on our PlayStations or what have you anymore.
I think the solution should be a legal one.
Posted Apr 2, 2018 22:22 UTC (Mon)
by smurf (subscriber, #17840)
[Link] (1 responses)
Posted Apr 3, 2018 4:06 UTC (Tue)
by pabs (subscriber, #43278)
[Link]
Posted Apr 3, 2018 4:46 UTC (Tue)
by marcH (subscriber, #57642)
[Link]
The solution to which problem? We have the freedom to choose between GPLv2 vs GPLv3 products. Yet for some reason the vast majority of people seem happy with products that restrict what they can do much more than with *either* GPL version: should that be regulated too/first? Prohibition of closed-source software, now that could be an interesting social experiment...
Posted Apr 3, 2018 9:07 UTC (Tue)
by johan (guest, #112044)
[Link]
I hope this is just for hibernation though, hopefully suspend (saves state to RAM instead of to disk) is still supported.
Posted Apr 3, 2018 10:02 UTC (Tue)
by ardbiesheuvel (subscriber, #89747)
[Link] (1 responses)
In my experience, without such clarifications, there will be many users that assume that everything they do on a locked down system is magically more secure than it was before, and will act accordingly, resulting in a net decrease in security. Also, considering that lockdown will mean different things across architectures and across kernel versions, a locked down v4.17 arm64 kernel will be quite different from a, say, v5.1 x86 kernel, and you'll have to consult the kernel sources and your .config file to figure out what is being protected and what is not.
Posted Apr 3, 2018 14:16 UTC (Tue)
by unixbhaskar (guest, #44758)
[Link]
Posted Apr 3, 2018 11:36 UTC (Tue)
by mbg (subscriber, #4940)
[Link]
Posted Apr 3, 2018 14:45 UTC (Tue)
by ju3Ceemi (subscriber, #102464)
[Link] (12 responses)
After all, one who wants to "lockdown" a machine with this must own and maintain the whole chain : he must master the bios ""secure boot"" features, for instance. He must compile himself every kernel updates.
If a user can use his own kernel (or any kernel from Debian, redhat or any common distrib), then this user can recompile this kernel without the lockdown code, hence breaking the jail.
I fear that many confusion will rise with such feature.
Posted Apr 3, 2018 23:31 UTC (Tue)
by nivedita76 (guest, #121790)
[Link]
The individual user who recompiles his own kernel is the ultra-niche, actually.
Posted Apr 4, 2018 7:37 UTC (Wed)
by flussence (guest, #85566)
[Link] (10 responses)
If this is implemented in mainline it makes Microsoft's end goal significantly easier - “Linux”* (*approved distros) supports Secure Boot now, so would all the clueless UEFI implementers fall in line and kindly remove the unnecessary non-secure mode and user-enrolled keys? For your safety, of course.
Posted Apr 4, 2018 8:07 UTC (Wed)
by Cyberax (✭ supporter ✭, #52523)
[Link] (4 responses)
I used a simple "remote attestation" model where the trusted code retrieved remote keys and used them to decrypt the root partition, load its kernel and kexec into it.
Posted Apr 4, 2018 17:06 UTC (Wed)
by nilsmeyer (guest, #122604)
[Link] (3 responses)
Posted Apr 4, 2018 17:54 UTC (Wed)
by zdzichu (subscriber, #17118)
[Link] (2 responses)
Posted Apr 4, 2018 19:01 UTC (Wed)
by nilsmeyer (guest, #122604)
[Link] (1 responses)
Posted Apr 5, 2018 7:02 UTC (Thu)
by pabs (subscriber, #43278)
[Link]
Posted Apr 5, 2018 15:44 UTC (Thu)
by zlynx (guest, #2285)
[Link] (4 responses)
But anyway, my method worked and booted a kernel signed by my key. Even though this wasn't great since the signing key was in my /root directory where anyone could find it.
So nothing in secure boot stops the system administrator from using secure boot for their own purposes.
Posted Apr 8, 2018 4:14 UTC (Sun)
by flussence (guest, #85566)
[Link] (3 responses)
Posted Apr 8, 2018 18:21 UTC (Sun)
by jem (subscriber, #24231)
[Link] (2 responses)
Posted Apr 8, 2018 18:58 UTC (Sun)
by smurf (subscriber, #17840)
[Link] (1 responses)
Owch.
Posted Apr 12, 2018 16:11 UTC (Thu)
by flussence (guest, #85566)
[Link]
Posted Apr 3, 2018 22:39 UTC (Tue)
by corbet (editor, #1)
[Link] (3 responses)
Posted Apr 4, 2018 2:53 UTC (Wed)
by unixbhaskar (guest, #44758)
[Link] (2 responses)
Posted Apr 5, 2018 6:40 UTC (Thu)
by ashkulz (guest, #102382)
[Link] (1 responses)
Posted Apr 5, 2018 11:24 UTC (Thu)
by smurf (subscriber, #17840)
[Link]
Posted Apr 5, 2018 11:21 UTC (Thu)
by SLi (subscriber, #53131)
[Link] (1 responses)
Do I understand correctly that it not only defeats the purpose for Linux users, but actually for everybody anywhere ever using secure boot, if a signed kernel image allowing arbitrary kernel code to run exists? Couldn't such a kernel be used to boot another secure OS with a false assurance that the boot process has not been tampered with? Or is there some step where the signature of the booted kernel is measured by a TPM in a way that another secure boot targets in reality can detect (wouldn't that also prevent using Grub to boot them, since that's not distinguishable from the kernel in a meaningful way)?
Posted Apr 6, 2018 1:15 UTC (Fri)
by neilbrown (subscriber, #359)
[Link]
Not really.
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
a) calling it a 'lockdown policy' rather than 'lockdown', emphasizing that it is best effort rather than absolute,
b) logging specifics about what that policy means on the current system.
Kernel lockdown in 4.17?
Calendrical quandary
Kernel lockdown in 4.17?
However, I do see this as an ultra-niche feature, something that may, in theory, be useful, but will not be commonly used in the real world
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
That's a pretty interesting idea, I was toying with a similar idea, using initramfs and a TTL based LUKS key to unlock my device after reboot. My idea was to do this:
Kernel lockdown in 4.17?
I only need a way to authenticate the initrd image.
This is mainly so I don't have to manually unlock upon reboot while still maintaining some security, the timeout should be the time it takes to boot, so that when someone physically removes the server the key is no longer valid.
Currently, I'm using dropbear in initramfs to login and unlock, but this doesn't verify the integrity of the initramfs either and the private key for dropbear has to be stored in initramfs.
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
Discussion on the linux-kernel list has made it clear that there is not yet a consensus around the lockdown patches, so security maintainer James Morris has said that he no longer plans to push them for 4.17.
Not in 4.17 after all
Not in 4.17 after all
Not in 4.17 after all
Not in 4.17 after all
Kernel lockdown in 4.17?
Kernel lockdown in 4.17?
With physical access, you can install the keys of your choice into your hardware (if you cannot, then it isn't your hardware).
Each key should have some policy associated, with the meaning "This will only be used to sign code which abides by the given policy". If anything else ever gets signed, then the key is compromised.
If there is some particular policy that you want to impose, then you should disable any keys that have a broader policy, or that have been compromised.