Kernel lockdown locked out — for now

By Jonathan Corbet
April 6, 2018

As the 4.17 merge window opened, it seemed possible that the kernel lockdown patch set could be merged at last. That was before the linux-kernel mailing list got its hands on the issue. What resulted was not one of the kernel community's finest moments. But it did result in a couple of evident conclusions: kernel lockdown will almost certainly not be merged for 4.17, but something that looks very much like it is highly likely to be accepted in a subsequent merge window.

As a reminder: the purpose of the lockdown patches is to enforce a distinction between running as root and the ability to run code in kernel mode. Proponents of UEFI secure boot maintain that this separation is necessary; otherwise the promise of secure boot (that the system will only run trusted code in kernel mode) cannot be kept. Closing off the paths by which a privileged attacker could run arbitrary code in kernel mode requires disabling a number of features in the kernel; see the above-linked article for the details. Most users will never miss the disabled features, but there are always exceptions.

There are, naturally, a number of disagreements on how the lockdown mode is implemented. The use of a blacklist to disable "dangerous" kernel command-line options seems sure to let some of those options through. It is unlikely that all of the potentially hazardous operations supported by device drivers can ever be found. And so on.

The interesting thing, though, is that almost nobody seems to object to the lockdown concept in general — as long as it can be turned off. Even Linus Torvalds, who argued against the lockdown patches and their developers in typical Torvalds style, sees some potential value in the lockdown concept. There does not appear to be any significant opposition to making it available in the kernel.

The sticking point

The reason that the lockdown patches will not be merged this time around thus doesn't depend on their core purpose. Instead, the whole thing hinges on a single detail: the patch set automatically turns the lockdown mode on if secure boot is detected at startup time. It is the tying together of lockdown and secure boot that brought about a long and unpleasant linux-kernel thread.

Torvalds pointed out that there is a long list of security-related features that can be enabled in current kernels. None of those features depend on whether secure boot is enabled on the system; they are configured in or out on their own merits. The behavior of the kernel should not vary as a result of a BIOS setting, he argued. He also claimed that connecting the two features means that few kernel developers will ever test kernels with lockdown enabled, since few of them enable secure boot on their development systems. No "sane distribution" would ship a kernel with this mode turned on, he said. One little problem with that last claim, as Matthew Garrett pointed out, is that many major distributions have been shipping a version of this patch set for about five years.

On the other side, proponents argue that lockdown without secure boot (or something like it) will instill a false sense of security, since the lockdown can be circumvented by attacking the boot chain. As Garrett put it: "Without some sort of verified boot mechanism, lockdown is just security theater". The same is said to be true of a kernel that supports secure boot without lockdown; that kernel can be compromised after boot to run untrusted code in kernel mode — exactly the scenario that secure boot is meant to prevent. A secure-boot kernel without lockdown is not only false security for its user; it is presented as a threat to others as well:

Because a kernel signed with a generally trusted key that doesn't implement any lockdown functionality is effectively a bootloader that will load unsigned material on most machines on the market, which reduces the security of users running those machines with Secure Boot enabled.

See also this blog post from Garrett describing his view of this discussion in more detail.

Not everybody agrees that lockdown without secure boot is useless; they see it like all of the other hardening technologies that have been put into the kernel. Compromising the boot chain (and forcing a reboot) is not always an easy thing to do, especially for a remote attacker. Secure boot is unlikely to ever protect all of the places where a persistent exploit could be placed anyway — init scripts, for example. Even without secure boot, it is argued, lockdown raises the bar for a potential attacker.

The "bootloader" argument is an interesting one; it says that a kernel without lockdown can be compromised and used to load a new, modified kernel that hides any malware it contains. According to Peter Jones, this is a common model for malware installations. Under this line of reasoning, any kernel that can be corrupted in this way and carries a signature that will enable it to boot on a secure-boot system can be used to attack any system that trusts the signing key. Automatically enabling lockdown with secure boot is a way to avoid creating this kind of attack tool.

If that is the issue, Alan Cox said, then we have already lost:

Vendors of all OS's have released enough buggy but signed kernel images over the past years that rummaging around in the archive will find you a wide choice of signed boot images that'll then let you do wtf you like including chaining some other target.

One other aspect of this issue that came up briefly is the fear that, if Linux looks like a tool that can be used to compromise secure-boot systems running Windows, that Microsoft might blacklist the signing key and render Linux unbootable on most x86 hardware. David Howells expressed this worry, for example. Greg Kroah-Hartman said, though, that he has researched this claim numerous times and it has turned out to be an "urban myth".

Resolution?

Toward the end of the discussion, Torvalds (and others) suggested that lockdown should just be enabled unconditionally, especially since distributors have been shipping it for some time. The problem with that, of course, is that lockdown does occasionally break a working system. In such cases, users have been advised by distributors to disable secure boot as the easiest solution. Torvalds rephrased that point:

We'd like to just enable it all the time, but it's known to break some unusual hardware cases that we can't fix in software, and we wanted *some* way to disable it that requires explicit and verified user intervention to do that, and disabling secure boot is the easiest hack we could come up with.

Had things been expressed that way from the beginning, he said, the connection between lockdown and secure boot would have been "much more palatable".

A statement like that strongly suggests that the lockdown feature, even perhaps with a secure-boot connection, should be able to get past Torvalds eventually. Howells has said that he is reworking the patch set to loosen that connection, which may help as well. While another attempt to push this work for 4.17 could happen, it seems more likely that everybody will want to step away from this discussion and address the issue again in 4.18.

Index entries for this article
Kernel	Security/UEFI secure boot
Security	Linux kernel
Security	Secure boot

Kernel lockdown vis-à-vis secure-boot

Posted Apr 8, 2018 9:13 UTC (Sun) by darwish (guest, #102479) [Link] (6 responses)

I agree with Linus that lockdown is really orthogonal to secure-boot.

I've written a number of remote exploits (white-hat; merged in Metasploit), and the ability to modify the boot chain is not as easy as the lockdown authors claim. It might be much easier in the servers world due to extreme PC boot-protocol standardization, but it's hard as hell in the embedded world due to esoteric SoCs, unknown custom-built boot-loaders, and read-only storage.

In these cases, and even without secure-boot, basic kernel hardening features like disabling /dev/mem, /proc/<pid>/mem, /proc/kcore, etc. etc. are __invaluable__ in making the attackers life much harder -- even if they got execute access as UID 0.

Yes, with UID0 the attacker can create a kernel module to re-expose all that, but again this is embedded: (f)init_module() might be removed from the kernel. Even funnier: you might only have a root _shell_ access, but not pure uid 0 binary execution context; and then you find yourself with a busybox having wget and insmod removed ;-) You try to write your exploit ELF, byte by byte, using 'echo' to a tmpfs partition; on a lot of devices this will succeed, but others might have a brain-dead 'echo' version that does not support the necessary "-en" parameters, and so on.

So, honestly, Linus is __absolutely__ right:

"Because as long as the explanation is just some 'you must use secure boot or you've already lost and further security is pointless' hocus-pocus magical thinking, I immediately go 'no, that sounds completely bogus and it makes testing and coverage much worse, we've done other things quite like that without this secure boot tie-in'".

Kernel lockdown vis-à-vis secure-boot

Posted Apr 8, 2018 17:00 UTC (Sun) by bluca (subscriber, #118303) [Link]

It might be orthogonal, but it is hella useful to have lockdown enabled automatically when secure booting. It's just a few lines. Sure, by all means, put it behind a disabled-by-default kconfig. But why take the feature away? Distros clearly like it and their customers want it, given it's been shipping for years.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 0:22 UTC (Mon) by nivedita76 (subscriber, #121790) [Link] (4 responses)

lockdown is useful without secure boot. I think the point was more that secure boot is not very useful without lockdown.

embedded doesn't seem very relevant in any case, it's not going to have UEFI secure boot in any case. The argument is about whether you should turn lockdown on automatically if secure boot is enabled, which is really only a PC/x86 server thing for the most part.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 6:16 UTC (Mon) by darwish (guest, #102479) [Link]

Embedded _is_ relevant in that case, and my post was a reply to the lockdown's author (direct) quote in the article claiming that "Without some sort of verified boot mechanism, lockdown is just security theater".

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 9:53 UTC (Mon) by excors (subscriber, #95769) [Link] (2 responses)

Depending on your definition of "embedded", Intel does(/did) make embedded SoCs for tablets etc that use a UEFI BIOS and Secure Boot.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 9, 2018 11:01 UTC (Mon) by kugel (subscriber, #70540) [Link] (1 responses)

Also SoCs for Routers (e.g. https://blogs.intel.com/iot/2016/05/18/intel-puma/). I work with those.

Kernel lockdown vis-à-vis secure-boot

Posted Apr 10, 2018 13:12 UTC (Tue) by arekm (guest, #4846) [Link]

"Intel Pumageddon" (google)

Kernel lockdown locked out — for now

Posted Apr 8, 2018 11:48 UTC (Sun) by niner (subscriber, #26151) [Link] (5 responses)

I wonder if virtualization has come up in the discussion. I can imagine lockdown being a good tool to further harden virtual machines. We use the one VM per service model to make it harder for an attacker to spread in case of a breach in one service. Lockdown sounds like something that would make it harder to attack the hypervisor even if the attacker gained root privileges in a VM. No need for secure boot to gain some advantage in that case (assuming the hypervisor is properly protected from the network).

Kernel lockdown locked out — for now

Posted Apr 8, 2018 13:17 UTC (Sun) by epa (subscriber, #39769) [Link] (4 responses)

Isn’t the whole point of a VM that you can run whatever OS and kernel you want? If that choice is removed you might as well offer users a container-based setup where they can have ‘root’ but are really just another user on a large system.

Kernel lockdown locked out — for now

Posted Apr 8, 2018 15:07 UTC (Sun) by niner (subscriber, #26151) [Link] (2 responses)

Running multiple operating systems on the same hardware is one use case for VMs. Our's is increased security through compartmentalization. We do not rent out our hardware to other people. We run our own applications consisting of a plethora of inter-operating services and simply assume that none of these services is 100 % proof against intruders. Thus we put them into different VMs with narrow and clearly defined interfaces, so when an intruder finds a hole in one service, it would still be hard to get into the rest of the system. And that's where lockdown could help even without secure boot provided by the firmware.

Kernel lockdown locked out — for now

Posted Apr 10, 2018 3:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (1 responses)

Are you using Kata Containers (formerly Intel Clear Containers) or your own custom mechanism for this?

https://katacontainers.io/

Kernel lockdown locked out — for now

Posted Apr 10, 2018 6:32 UTC (Tue) by niner (subscriber, #26151) [Link]

We do it the old fashioned way with heavy weight kvm machines and puppet. Kata is certainly very tempting, but you know how it is. The system is running quite well as it is and there's always stuff to keep you busy, like the EU GDPR. So I guess Kata Containers will have some more time to mature till we give it a try :)

Kernel lockdown locked out — for now

Posted Apr 8, 2018 15:13 UTC (Sun) by Paf (subscriber, #91811) [Link]

I think the suggestion is that it could further harden an existing VM. So you can still put whatever you want in there and then lock it down. You seem to be imagining a world where the hypervisor comes prelocked or something, but I don’t think that’s what niner is suggesting.

microcode

Posted Apr 8, 2018 18:59 UTC (Sun) by ballombe (subscriber, #9523) [Link] (1 responses)

How does lockdown deals with CPU microcode ? can spectre be used to bypass lockdown ?

microcode

Posted Apr 9, 2018 7:02 UTC (Mon) by matthias (subscriber, #94967) [Link]

The spectre (and meltdown) attacks are designed to work without privileged (UID 0) access. Unprivileged users do not have access to the interfaces that will be locked down, anyway. Therefore it makes no difference for these attacks, whether root is allowed (status quo) or disallowed (lockdown) to access these interfaces.

Kernel lockdown locked out — for now

Posted Apr 24, 2018 5:22 UTC (Tue) by mcortese (guest, #52099) [Link] (1 responses)

I can understand that someone values convenience above security and doesn't want to enable neither secure boot, nor kernel lockdown. At the other end of the spectrum, those highly concerned with security will enable both. Somewhere in the middle, someone might want the increased security of lockdown without the hassle of enabling secure boot.

But who will want to go so far as to enable secure boot and then fails to avtivate lockdown?

In other words, who will benefit from lockdown not automatically activated by secure boot?

Kernel lockdown locked out — for now

Posted Apr 24, 2018 19:06 UTC (Tue) by zlynx (guest, #2285) [Link]

Well, recently I wanted to access the DRM debug data. But I can't because of kernel lockdown. I wanted a quick GRUB boot command edit, but instead I had to disable secure boot in the EFI. Annoying.

Maybe I missed finding a Fedora command-line option that would have done it.