![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
mjg59The Linux kernel lockdown patches were merged into the 5.4 kernel last year, which means they're now part of multiple distributions. For me this was a 7-year journey, which means it's easy to forget that others aren't as invested in the code as I am. Here's what these patches are intended to achieve, why they're implemented in the current form and what people should take into account when deploying the feature.
Root is a user - a privileged user, but nevertheless a user. Root is not identical to the kernel. Processes running as root still can't dereference addresses that belong to the kernel, are still subject to the whims of the scheduler and so on. But historically that boundary has been very porous. Various interfaces make it straightforward for root to modify kernel code (such as loading modules or using /dev/mem), while others make it less straightforward (being able to load new ACPI tables that can cause the ACPI interpreter to overwrite the kernel, for instance). In the past that wasn't seen as a significant issue, since there were no widely deployed mechanisms for verifying the integrity of the kernel in the first place. But once UEFI secure boot became widely deployed, this was a problem. If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can't modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot.
Lockdown is intended as a mechanism to avoid that, by providing an optional policy that closes off interfaces that allow root to modify the kernel. This was the sole purpose of the original implementation, which maps to the "integrity" mode that's present in the current implementation. Kernels that boot in lockdown integrity mode prevent even root from using these interfaces, increasing assurances that the running kernel corresponds to the booted kernel. But lockdown's functionality has been extended since then. There are some use cases where preventing root from being able to modify the kernel isn't enough - the kernel may hold secret information that even root shouldn't be permitted to see (such as the EVM signing key that can be used to prevent offline file modification), and the integrity mode doesn't prevent that. This is where lockdown's confidentiality mode comes in. Confidentiality mode is a superset of integrity mode, with additional restrictions on root's ability to use features that would allow the inspection of any kernel memory that could contain secrets.
Unfortunately right now we don't have strong mechanisms for marking which bits of kernel memory contain secrets, so in order to achieve that we end up blocking access to all kernel memory. Unsurprisingly, this compromises people's ability to inspect the kernel for entirely legitimate reasons, such as using the various mechanisms that allow tracing and probing of the kernel.
How can we solve this? There's a few ways:
My recommendation is for (3), and I'd encourage general purpose distributions that enable lockdown to do so only in integrity mode rather than confidentiality mode. The cost of confidentiality mode is just too high compared to the benefits it provides. People who need confidentiality mode probably already know that they do, and should be in a position to enable it themselves and handle the consequences.
Root is a user - a privileged user, but nevertheless a user. Root is not identical to the kernel. Processes running as root still can't dereference addresses that belong to the kernel, are still subject to the whims of the scheduler and so on. But historically that boundary has been very porous. Various interfaces make it straightforward for root to modify kernel code (such as loading modules or using /dev/mem), while others make it less straightforward (being able to load new ACPI tables that can cause the ACPI interpreter to overwrite the kernel, for instance). In the past that wasn't seen as a significant issue, since there were no widely deployed mechanisms for verifying the integrity of the kernel in the first place. But once UEFI secure boot became widely deployed, this was a problem. If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can't modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot.
Lockdown is intended as a mechanism to avoid that, by providing an optional policy that closes off interfaces that allow root to modify the kernel. This was the sole purpose of the original implementation, which maps to the "integrity" mode that's present in the current implementation. Kernels that boot in lockdown integrity mode prevent even root from using these interfaces, increasing assurances that the running kernel corresponds to the booted kernel. But lockdown's functionality has been extended since then. There are some use cases where preventing root from being able to modify the kernel isn't enough - the kernel may hold secret information that even root shouldn't be permitted to see (such as the EVM signing key that can be used to prevent offline file modification), and the integrity mode doesn't prevent that. This is where lockdown's confidentiality mode comes in. Confidentiality mode is a superset of integrity mode, with additional restrictions on root's ability to use features that would allow the inspection of any kernel memory that could contain secrets.
Unfortunately right now we don't have strong mechanisms for marking which bits of kernel memory contain secrets, so in order to achieve that we end up blocking access to all kernel memory. Unsurprisingly, this compromises people's ability to inspect the kernel for entirely legitimate reasons, such as using the various mechanisms that allow tracing and probing of the kernel.
How can we solve this? There's a few ways:
- Introduce a mechanism to tag memory containing secrets, and only restrict accesses to this. I've tried to do something similar for userland and it turns out to be hard, but this is probably the best long-term solution.
- Add support for privileged applications with an appropriate signature that implement policy on the userland side. This is actually possible already, though not straightforward. Lockdown is implemented in the LSM layer, which means the policy can be imposed using any other existing LSM. As an example, we could use SELinux to impose the confidentiality restrictions on most processes but permit processes with a specific SELinux context to use them, and then use EVM to ensure that any process running in that context has a legitimate signature. This is quite a few hoops for a general purpose distribution to jump through.
- Don't use confidentiality mode in general purpose distributions. The attacks it protects against are mostly against special-purpose use cases, and they can enable it themselves.
My recommendation is for (3), and I'd encourage general purpose distributions that enable lockdown to do so only in integrity mode rather than confidentiality mode. The cost of confidentiality mode is just too high compared to the benefits it provides. People who need confidentiality mode probably already know that they do, and should be in a position to enable it themselves and handle the consequences.
Live Kernel Patching
Date: 2020-04-21 10:00 pm (UTC)Re: Live Kernel Patching
Date: 2020-04-21 10:45 pm (UTC)Benefit of the integrity mode
Date: 2020-04-22 03:35 am (UTC)Root can not modify the kernel anymore, but it still can modify the userland. How does it help you that the kernel is pristine if your shell is compromised?
Re: Benefit of the integrity mode
Date: 2020-04-22 03:41 am (UTC)Re: Benefit of the integrity mode
Date: 2020-04-23 03:43 am (UTC)Some distributions carry lockdown-style kernel patches since some time (particularly the sort that force-enables on Secure Boot), but I've not seen any attempt to build on that with any sort of userland protection. The exception is Fedora with SELinux, but isn't SELinux alone susceptible to the same attacks as a kernel without lockdown? E.g. if somehow an attacker temporarily gains elevated privileges (root and unconfined_t) they may not be able to modify the kernel anymore, but they can still modify the SELinux policy and the SELinux xattrs on the files.
So basically, I wonder what the usage of lockdown (in integrity mode) alone or with only SELinux is, or whether distributions already expand on lockdown and I haven't noticed.
What about hibernation in the lockdown mode?
Date: 2020-04-22 11:25 am (UTC)Also, since I can't use the lockdown mode in the current form, is there a way to configure the kernel so it would look like as if it was in the lockdown mode? For instance setting the following kernel options to off:
CONFIG_DEVMEM:
CONFIG_DEVKMEM:
CONFIG_DEVPORT:
CONFIG_ACPI_APEI_EINJ:
CONFIG_X86_MSR:
CONFIG_KEXEC:
CONFIG_KEXEC_FILE:
CONFIG_ACPI_CUSTOM_METHOD:
CONFIG_PROC_KCORE:
CONFIG_KPROBES:
CONFIG_EFI_TEST:
CONFIG_MMIOTRACE:
CONFIG_DEBUG_KERNEL:
Are there other options that can be set/unset to achieve what the lockdown mode does?
Re: What about hibernation in the lockdown mode?
Date: 2020-04-22 12:49 pm (UTC)We would either need to authenticate hibernation images somehow (which implies adding a per-machine key pair and keeping the private key secret in the kernel), or rewrite hibernation so that resuming only performs safe transformations to the old kernel (relocation, alternatives patching, probe patching, etc.).
Re: What about hibernation in the lockdown mode?
Date: 2020-04-22 07:00 pm (UTC)Re: What about hibernation in the lockdown mode?
Date: 2021-01-12 09:53 am (UTC)The current result is more use of suspend which means the protection, is a power button, not to mention physical ram attacks!
another integrity solution
Date: 2020-04-22 12:51 pm (UTC)I wonder if a 2nd physical CPU which can monitor the 'main' cpu might be a MUCH better solution. Kinda like and 'executive' CPU that notices strange things about the main CPU. Parts when scanned have been modified. CPU usage has gotten bigger.
In many smaller systems I put and executive module in to monitor the 'state' of the various system modules. When a module is in a funny state, or in a transient state for too long, the 'executive' kills it.
Given a 2nd and 3rd CPU there might even be chance to have some real encryption done by the assembled system?
Lots of fun.
Re: another integrity solution
Date: 2020-04-22 07:02 pm (UTC)Undervolting is impossible with lockdown enabled
Date: 2020-04-22 04:16 pm (UTC)Other than that I use it on my general purpose machines without trouble.
Re: Undervolting is impossible with lockdown enabled
Date: 2020-04-22 07:04 pm (UTC)read-only Volumes
Date: 2020-04-27 01:31 pm (UTC)Re: read-only Volumes
Date: 2020-04-27 08:27 pm (UTC)Re: read-only Volumes
Date: 2020-05-03 04:18 pm (UTC)kernel_lockdown.7 man page?
Date: 2020-05-06 05:58 pm (UTC)[ 537.405854] Kernel is locked down from securityfs; see man kernel_lockdown.7
in dmesg, but I can't seem to find that man page. It's not in latest man-pages repo, and Ubuntu didn't ship anything for it.
Re: kernel_lockdown.7 man page?
Date: 2020-05-07 09:37 am (UTC)could u pls tell, how to do it in ubuntu 20.04 lts desktop version.
Re: kernel_lockdown.7 man page?
Date: 2020-05-07 04:38 pm (UTC)The default was [none]. You might want to be careful with changing that, since once it's enabled
root@doorstop:~# echo none >/sys/kernel/security/lockdown
-bash: echo: write error: Operation not permitted
Re: kernel_lockdown.7 man page?
Date: 2020-05-09 04:17 am (UTC)Re: kernel_lockdown.7 man page?
Date: 2020-05-09 04:45 am (UTC)Re: kernel_lockdown.7 man page?
Date: 2020-05-09 04:54 am (UTC)as per https://mjg59.dreamwidth.org/55105.html?thread=1997633 (third paragraph), last three lines
This is where lockdown's confidentiality mode comes in. Confidentiality mode is a superset of integrity mode, with additional restrictions on root's ability to use features that would allow the inspection of any kernel memory that could contain secrets.
Can i set it to confidentiality mode and how to make changes permanent? as otherwise after reboot, it becomes [none].
Re: kernel_lockdown.7 man page?
Date: 2020-05-09 04:49 pm (UTC)know how to enable/disable it in redhat 8.2 ?
Date: 2020-10-30 03:19 am (UTC)Just being afraid
Date: 2020-05-25 07:38 pm (UTC)Shame on Google for not allowing the user to root Android devices easily. In the past it has been much simpler then now.
Migration of features from debugfs
Date: 2021-06-16 02:47 am (UTC)By analogy the block on debugfs in integrity mode doesn't take into account the security or integrity status of individual debugfs nodes. Is there a project to look at how to define a level of safety on these interfaces, or to migrate them from debugfs to other parts of
/sys?I've just come up with scenarios were we are developing external hardware, but unable to toggle
dynamic_debugmessages in debugfs. Disabling lockdown and/or secure boot or avoiding distribution kernels seem to be an overkill solution. In general out-of-the box desktop environments with usual security are ideal for our developers - except in some of these frustrating edge-cases. I'm sure in a month I'll find another one ;)Re: Migration of features from debugfs
Date: 2021-06-16 02:50 am (UTC)