Kernel lockdown in 4.17?

The UEFI secure boot mechanism is intended to protect the system against persistent malware threats — unpleasant bits of software attached to the operating system or bootloader that will survive a reboot. While Linux has supported secure boot for some time, proponents have long said that this support is incomplete in that it is still possible for the root user to corrupt the system in a number of ways. Patches that attempt to close this hole have been circulating for years, but they have been controversial at best. This story may finally come to a close, though, if Linus Torvalds accepts the "kernel lockdown" patch series during the 4.17 merge window.

In theory, the secure-boot chain of trust ensures that the system will never run untrusted code in kernel mode. On current Linux systems, though, the root user (or any other user with sufficient capabilities) can do exactly that. For anybody who wants to use secure boot to ensure the integrity of their systems (or, perhaps, to prevent their customers from truly owning the system), this hole defeats the purpose of the whole exercise. Various kernel lockdown patches have been proposed over the years (LWN first covered them in 2012), but these patches have run into two types of criticism: (1) restricting what root can do goes against the design of Unix-like systems, and (2) locking down the system in this way still does not solve the problem.

Interest in this kind of lockdown persists, though, and the lockdown patches have been quietly maintained and improved over the years. These patches were last publicly posted in November. They were added to linux-next at the beginning of March, and found their way into the security tree on March 31. Security maintainer James Morris has not yet pushed the lockdown patches to Torvalds, but has indicated his intent to do so in the near future. So, unless Torvalds objects, it would appear that kernel lockdown will be a part of the 4.17 release.

How to lock down the kernel

The series of patches that implements this feature can be seen on kernel.org. It starts with a patch adding a configuration option for the lockdown feature and a kernel_is_locked_down() function to test whether lockdown is in effect. There is a lockdown boot parameter that can be used to enable lockdown, but lockdown also happens automatically if the feature is enabled and UEFI secure boot is detected. After this patch, the mode is implemented but it doesn't actually lock anything down yet.

No sooner was the lockdown option added than somebody wanted to be able to turn it off. Normally, the ability to defeat this kind of protection would be considered undesirable. In this case, it can only be done from the system console with the magic SysRq-x key sequence.

After that, the real restrictions are added. In lockdown mode, the kernel will refuse to load modules unless they either have a recognized signature or they can pass appraisal from the integrity measurement architecture (IMA) subsystem. Access to /dev/mem and /dev/kmem (which is already heavily restricted on most systems) is disabled entirely. /proc/kcore, which can be used to pull cryptographic keys from the kernel, is disabled.

Access to I/O ports via /dev/port is disallowed lest it be used to convince a device to overwrite important memory via a DMA operation. There are other places where hardware might be used to circumvent lockdown. To try to prevent that, any sort of access to PCI bus operations or parameters (the location of the base address register, for example) must be disabled. The ioperm() and iopl() system calls are disabled, as is direct access to x86 model-specific registers (MSRs).

The ACPI custom method mechanism is also capable of overwriting memory, so it is disabled. There are a few other hazards in ACPI, including the acpi_rsdp command-line parameter, which can be used to change the RSDP structure. The ACPI table override and APEI error injection mechanisms are turned off as well.

None of these changes will help in the case where a specific device driver can be used to overwrite memory. For example, the "eata" SCSI driver has a set of command-line options that control many of its hardware-level parameters; those must be disabled when lockdown is in effect. If anybody is trying to lock down a system that has PCMCIA hardware (younger readers can ask their parents about this), the ability to replace the card information structure (CIS) must be disabled. The serial-port TIOCSSERIAL ioctl() operation is problematic, since it can change I/O port settings. Many other hardware-controlling command-line parameters were annotated in 2016; under kernel lockdown they become unavailable.

There are a number of restrictions on the kexec mechanism (used to boot a new kernel directly from a running kernel). If the root user can switch to an arbitrary kernel, the system is clearly not locked down, so that must be prevented. The kexec_load() system call is disabled entirely; kexec_file_load(), which can enforce signatures, is still allowed. A mechanism has been added to ensure that the newly loaded kernel retains the secure-boot mode. Once again, IMA can be used as a substitute for signature verification.

"Hibernation" is the process of saving a snapshot of system memory to disk and powering down the system, with the intent of resuming from that snapshot in the future. There is also a variant called "uswsusp" where most of the work is done in user space. In either case, the kernel currently lacks a mechanism to ensure that the image it resumes from is the same as the one it saved at hibernation time. In other words, some clever editing of the hibernation image could be used to bypass lockdown. That is addressed by disabling hibernation and uswsusp entirely.

This whole exercise will be in vain, though, if an attacker is able to install kprobes into the running kernel, so that feature, too, is turned off. Some BPF operations that can read memory are also disabled. These changes will adversely affect a number of tracing use cases. The debugfs filesystem is disabled entirely on locked-down systems.

A secure system?

The end result of all this work is intended to be a kernel that cannot be subverted even by a privileged user. As is often the case with such features, kernel lockdown is a two-edged sword. A cloud-hosting provider has a strong incentive to ensure that its operating software has not been compromised, but that is also true of a provider of Linux-based consumer-electronics gadgets that simply wants to preserve a rent-seeking business model. It is hard to protect one type of system without protecting the other.

It is also hard to imagine a scenario where the lockdown feature provides complete protection. If nothing else, there must be a lot of device drivers that can still be used to get around restrictions. But proponents of the lockdown feature will argue that it raises the bar considerably, and that is generally the best that can be hoped for in this world. The one bar that still has to be overcome, though, is acceptance into the mainline. Torvalds has not yet expressed an opinion on this patch set. It would seem that much of the opposition to its merging has been overcome (or worn down), though, so merging into the mainline for 4.17 seems probable.

Index entries for this article
Kernel	Security/UEFI secure boot
Security	Linux kernel
Security	Secure boot

---

to post comments

Kernel lockdown in 4.17?

Posted Apr 2, 2018 21:15 UTC (Mon) by fratti (subscriber, #105722) [Link] (4 responses)

>In other words, some clever editing of the hibernation image could be used to bypass lockdown. That is addressed by disabling hibernation and uswsusp entirely.

What is it about Linux and hating hibernation in so many different ways? I feel like kernel developers want me to feel ashamed for using a laptop.

>but that is also true of a provider of Linux-based consumer-electronics gadgets that simply wants to preserve a rent-seeking business model.

That could be said of any security measure. Imagine a world where people use memory safe languages for systems programming; we couldn't run Linux on our PlayStations or what have you anymore.

I think the solution should be a legal one.

Kernel lockdown in 4.17?

Posted Apr 2, 2018 22:22 UTC (Mon) by smurf (subscriber, #17840) [Link] (1 responses)

Legal solutions won't work. The GPLv2 does allow locked-down kernels (or at least Linus publicly stated that he has no problem with that sort of thing), so what legal reason would there be for forcing manufacturers to allow you to replace a device's kernel? And even if there was such a reason, have fun enforcing it when you can't even get nominal GPL compliance from most makers of embedded systems. Or Android phones, for that matter.

Kernel lockdown in 4.17?

Posted Apr 3, 2018 4:06 UTC (Tue) by pabs (subscriber, #43278) [Link]

I imagine it would be separate to copyright licenses and probably be more related to the Right to Repair movement, who violate the circumvention provisions of the DMCA to hack around the DRM in tractors. I can easily see that resulting in a right to control or replace the software running on devices you have purchased.

Kernel lockdown in 4.17?

Posted Apr 3, 2018 4:46 UTC (Tue) by marcH (subscriber, #57642) [Link]

> I think the solution should be a legal one.

The solution to which problem? We have the freedom to choose between GPLv2 vs GPLv3 products. Yet for some reason the vast majority of people seem happy with products that restrict what they can do much more than with *either* GPL version: should that be regulated too/first? Prohibition of closed-source software, now that could be an interesting social experiment...

Kernel lockdown in 4.17?

Posted Apr 3, 2018 9:07 UTC (Tue) by johan (guest, #112044) [Link]

> What is it about Linux and hating hibernation in so many different ways? I feel like kernel developers want me to feel ashamed for using a laptop.

I hope this is just for hibernation though, hopefully suspend (saves state to RAM instead of to disk) is still supported.

Kernel lockdown in 4.17?

Posted Apr 3, 2018 10:02 UTC (Tue) by ardbiesheuvel (subscriber, #89747) [Link] (1 responses)

My primary objection to these patches is that it gives a false sense of security, and when the patches were under review, I strongly argued for
a) calling it a 'lockdown policy' rather than 'lockdown', emphasizing that it is best effort rather than absolute,
b) logging specifics about what that policy means on the current system.

In my experience, without such clarifications, there will be many users that assume that everything they do on a locked down system is magically more secure than it was before, and will act accordingly, resulting in a net decrease in security. Also, considering that lockdown will mean different things across architectures and across kernel versions, a locked down v4.17 arm64 kernel will be quite different from a, say, v5.1 x86 kernel, and you'll have to consult the kernel sources and your .config file to figure out what is being protected and what is not.

Kernel lockdown in 4.17?

Posted Apr 3, 2018 14:16 UTC (Tue) by unixbhaskar (guest, #44758) [Link]

Make absolute sense and I do agree. It should be a preferential policy for those, who wanted it. There is no point imposing something, which doesn't bring any solidarity in terms of security(I mean so-called security). Plus we need to measure how much overhead does it bring when in an active state or in an inactive state. The idea seems good but needs more work I believe.

Calendrical quandary

Posted Apr 3, 2018 11:36 UTC (Tue) by mbg (subscriber, #4940) [Link]

So when 1 April falls on Easter Sunday (or should that be the other way around?), is it a "public holiday" in your jurisdiction?

Kernel lockdown in 4.17?

Posted Apr 3, 2018 14:45 UTC (Tue) by ju3Ceemi (subscriber, #102464) [Link] (12 responses)

I do not see this as a dump feature
However, I do see this as an ultra-niche feature, something that may, in theory, be useful, but will not be commonly used in the real world

After all, one who wants to "lockdown" a machine with this must own and maintain the whole chain : he must master the bios ""secure boot"" features, for instance. He must compile himself every kernel updates.

If a user can use his own kernel (or any kernel from Debian, redhat or any common distrib), then this user can recompile this kernel without the lockdown code, hence breaking the jail.

I fear that many confusion will rise with such feature.

Kernel lockdown in 4.17?

Posted Apr 3, 2018 23:31 UTC (Tue) by nivedita76 (subscriber, #121790) [Link]

It would actually be used in the real world. Most linux installations are commercial servers/cloud providers who would probably find this useful.

The individual user who recompiles his own kernel is the ultra-niche, actually.

Kernel lockdown in 4.17?

Posted Apr 4, 2018 7:37 UTC (Wed) by flussence (guest, #85566) [Link] (10 responses)

I think you're correct, this doesn't have good connotations. The threat model for this seems to be to prevent the system administrator from using the system in ways not approved by whoever controls the bootloader. And since the firmware owner can never be the same person who bought and rightfully owns the system — because UEFI/BIOS is still proprietary — this can *only* be used as a form of DRM (the greed kind, not the graphics one).

If this is implemented in mainline it makes Microsoft's end goal significantly easier - “Linux”* (*approved distros) supports Secure Boot now, so would all the clueless UEFI implementers fall in line and kindly remove the unnecessary non-secure mode and user-enrolled keys? For your safety, of course.

Kernel lockdown in 4.17?

Posted Apr 4, 2018 8:07 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

Several years ago I've used DRM lockdown system to ensure the physical security of data, even if the server with them was stolen.

I used a simple "remote attestation" model where the trusted code retrieved remote keys and used them to decrypt the root partition, load its kernel and kexec into it.

Kernel lockdown in 4.17?

Posted Apr 4, 2018 17:06 UTC (Wed) by nilsmeyer (guest, #122604) [Link] (3 responses)

That's a pretty interesting idea, I was toying with a similar idea, using initramfs and a TTL based LUKS key to unlock my device after reboot. My idea was to do this:

• Create a random key, store in separate luks key slot
• Store random key in etcd (or similar) with TTL (5 minutes or so)
• At boot, request password from etcd to auto-unlock
• if the key is timed out, prompt for password

I only need a way to authenticate the initrd image. This is mainly so I don't have to manually unlock upon reboot while still maintaining some security, the timeout should be the time it takes to boot, so that when someone physically removes the server the key is no longer valid. Currently, I'm using dropbear in initramfs to login and unlock, but this doesn't verify the integrity of the initramfs either and the private key for dropbear has to be stored in initramfs.

Kernel lockdown in 4.17?

Posted Apr 4, 2018 17:54 UTC (Wed) by zdzichu (subscriber, #17118) [Link] (2 responses)

Before reimplementing the wheel, please see Clevis/Tang solution used in Fedora; for example https://www.usenix.org/conference/lisa16/conference-progr...

Kernel lockdown in 4.17?

Posted Apr 4, 2018 19:01 UTC (Wed) by nilsmeyer (guest, #122604) [Link] (1 responses)

Thanks, that looks very interesting. Dracut isn't very well supported in Debian based distros but that part I can build myself if need be.

Kernel lockdown in 4.17?

Posted Apr 5, 2018 7:02 UTC (Thu) by pabs (subscriber, #43278) [Link]

dracut is available in Debian and is supposed to work, please report bugs if you find any issues. ISTR there was even some talk of switching to it by default a while back.

Kernel lockdown in 4.17?

Posted Apr 5, 2018 15:44 UTC (Thu) by zlynx (guest, #2285) [Link] (4 responses)

A couple of laptops ago, this was a Dell XPS 13, I had it set up to secure boot with an enrolled key of my very own. And I made a script wrapper for the kernel compile to sign everything. If there was some official Fedora way to do it, I didn't find it. I guess they have a separate signature action somewhere in their build process.

But anyway, my method worked and booted a kernel signed by my key. Even though this wasn't great since the signing key was in my /root directory where anyone could find it.

So nothing in secure boot stops the system administrator from using secure boot for their own purposes.

Kernel lockdown in 4.17?

Posted Apr 8, 2018 4:14 UTC (Sun) by flussence (guest, #85566) [Link] (3 responses)

It does help if the hardware manufacturer has the presence of mind to implement UEFI properly… the one system I own with it (some no-name board with an AMI firmware) doesn't even let me turn Secure Boot *on*, there's no hint of it anywhere in the setup (or efivarfs). I'm pretty sure that violates spec.

Kernel lockdown in 4.17?

Posted Apr 8, 2018 18:21 UTC (Sun) by jem (subscriber, #24231) [Link] (2 responses)

Secure Boot wasn't introduced until the 2.3.1 "Errata C" version of the UEFI spec. So if the manufacturer doesn't claim the firmware is newer than that, then it doesn't violate the spec.

Kernel lockdown in 4.17?

Posted Apr 8, 2018 18:58 UTC (Sun) by smurf (subscriber, #17840) [Link] (1 responses)

Umm … seriously? they really introduced a major feature in a micro release?

Owch.

Kernel lockdown in 4.17?

Posted Apr 12, 2018 16:11 UTC (Thu) by flussence (guest, #85566) [Link]

It only violates common sense and good taste then… but that's nothing new for firmware.

Not in 4.17 after all

Posted Apr 3, 2018 22:39 UTC (Tue) by corbet (editor, #1) [Link] (3 responses)

Discussion on the linux-kernel list has made it clear that there is not yet a consensus around the lockdown patches, so security maintainer James Morris has said that he no longer plans to push them for 4.17.

Not in 4.17 after all

Posted Apr 4, 2018 2:53 UTC (Wed) by unixbhaskar (guest, #44758) [Link] (2 responses)

For everyone's sake, here is the pointer to the discussion in details...

https://lkml.org/lkml/2018/3/30/602

Not in 4.17 after all

Posted Apr 5, 2018 6:40 UTC (Thu) by ashkulz (guest, #102382) [Link] (1 responses)

Further down the thread, Linus says he is unlikely to merge it at all:

http://lkml.iu.edu/hypermail/linux/kernel/1804.0/01607.html

Not in 4.17 after all

Posted Apr 5, 2018 11:24 UTC (Thu) by smurf (subscriber, #17840) [Link]

Umm, not entirely. The part Linus is objecting to is the idea that auto-enabling the lockdown features when secure-boot is in effect makes any sense whatsoever. Linus' opinion is that whether you boot securely and whether the kernel is subsequently locked down are two independent concepts and it's stupid to conflate them.

Kernel lockdown in 4.17?

Posted Apr 5, 2018 11:21 UTC (Thu) by SLi (subscriber, #53131) [Link] (1 responses)

> In theory, the secure-boot chain of trust ensures that the system will never run untrusted code in kernel mode. On current Linux systems, though, the root user (or any other user with sufficient capabilities) can do exactly that. For anybody who wants to use secure boot to ensure the integrity of their systems (or, perhaps, to prevent their customers from truly owning the system), this hole defeats the purpose of the whole exercise.

Do I understand correctly that it not only defeats the purpose for Linux users, but actually for everybody anywhere ever using secure boot, if a signed kernel image allowing arbitrary kernel code to run exists? Couldn't such a kernel be used to boot another secure OS with a false assurance that the boot process has not been tampered with? Or is there some step where the signature of the booted kernel is measured by a TPM in a way that another secure boot targets in reality can detect (wouldn't that also prevent using Grub to boot them, since that's not distinguishable from the kernel in a meaningful way)?

Kernel lockdown in 4.17?

Posted Apr 6, 2018 1:15 UTC (Fri) by neilbrown (subscriber, #359) [Link]

> Do I understand correctly that it not only defeats the purpose for Linux users, but actually for everybody anywhere ever using secure boot, if a signed kernel image allowing arbitrary kernel code to run exists?

Not really.
With physical access, you can install the keys of your choice into your hardware (if you cannot, then it isn't your hardware).
Each key should have some policy associated, with the meaning "This will only be used to sign code which abides by the given policy". If anything else ever gets signed, then the key is compromised.
If there is some particular policy that you want to impose, then you should disable any keys that have a broader policy, or that have been compromised.