Summary: | sys-kernel/gentoo-*: lockdown=integrity mode, secure boot and the generic-uki | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Andrew Nowa Ammerlaan <andrewammerlaan> |
Component: | Current packages | Assignee: | Distribution Kernel Project <dist-kernel> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | kernel, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://github.com/gentoo/gentoo/pull/34616 https://bugs.gentoo.org/show_bug.cgi?id=814863 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | patchset |
Description
Andrew Nowa Ammerlaan
![]() The linked PR [1] implements solution 1. Please let me know if solution 3 is also acceptable, I personally don't have a strong preference for either solution. [1] https://github.com/gentoo/gentoo/pull/34616 Created attachment 881556 [details] patchset I've determined which patches exactly we need for solution 3, rebased and tested these locally. Patchset attached. The required patches are: - security: lockdown: expose a hook to lock the kernel down https://gitlab.com/cki-project/kernel-ark/-/commit/72223fd1241cc5c70b96a491db14d54c83beadd8 - efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode https://gitlab.com/cki-project/kernel-ark/-/commit/53250b991f841be025fa4d264850dadc0fae2861 - efi: Lock down the kernel if booted in secure boot mode https://gitlab.com/cki-project/kernel-ark/-/commit/5850c93175b9d2e1081873f4bbe08dead202cb08 The fourth patch is a bonus that makes similar changes for the IPL secure flag on s390. We don't currently support s390 in sys-kernel/gentoo-kernel, and I don't have the hardware so its untested, this patch we can skip. Included it in the tarball for completeness. - s390: Lock down the kernel when the IPL secure flag is set https://gitlab.com/cki-project/kernel-ark/-/commit/2384646bf71d8c282cf49bb20321fdf802c61cce Tested on 6.6.10, it works as it should: SecureBoot off: andrew@andrew-gentoo-pc ~ % cat /sys/kernel/security/lockdown [none] integrity confidentiality SecureBoot on: andrew@andrew-gentoo-pc ~ % cat /sys/kernel/security/lockdown none [integrity] confidentiality dmesg: [ 0.000000] efi: EFI v2.7 by American Megatrends [ 0.000000] efi: TPMFinalLog=0x79afd000 ACPI 2.0=0x79a77000 ACPI=0x79a77000 SMBIOS=0x7ad29000 MEMATTR=0x743 1b018 ESRT=0x7440fe98 MOKvar=0x7ad3e000 RNG=0x796c8f18 INITRD=0x6f845a98 TPMEventLog=0x6d0e8018 [ 0.000000] random: crng init done [ 0.000000] efi: Remove mem60: MMIO range=[0xe0000000-0xefffffff] (256MB) from e820 map [ 0.000000] e820: remove [mem 0xe0000000-0xefffffff] reserved [ 0.000000] efi: Not removing mem61: MMIO range=[0xfe000000-0xfe010fff] (68KB) from e820 map [ 0.000000] efi: Not removing mem62: MMIO range=[0xfec00000-0xfec00fff] (4KB) from e820 map [ 0.000000] efi: Not removing mem63: MMIO range=[0xfed00000-0xfed00fff] (4KB) from e820 map [ 0.000000] efi: Not removing mem64: MMIO range=[0xfee00000-0xfee00fff] (4KB) from e820 map [ 0.000000] efi: Remove mem65: MMIO range=[0xff000000-0xffffffff] (16MB) from e820 map [ 0.000000] e820: remove [mem 0xff000000-0xffffffff] reserved [ 0.000000] secureboot: Secure boot enabled [ 0.000000] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 [ 0.000000] SMBIOS 2.8 present. [ 0.000000] DMI: Micro-Star International Co., Ltd. MS-7B48/Z370-A PRO (MS-7B48), BIOS 2.D3 11/18/2021 Gentle ping. I feel it is important to resolve this somehow. We have gone through the trouble of signing the modules and (unified) kernel images. But currently users can choose to verify the unified kernel image (by enabling secure boot via UEFI firmware), or choose to verify the kernel modules (by enabling lockdown mode via kernel command line), but it is impossible to force verification of both. This kind of defeats the purpose of the generic-uki (or at least part of the purpose). Note that the patches for solution 3 only cause runtime changes if CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y which is disabled by default. So we could add these patches without causing any changes for gentoo-sources users (unless they opt-into this by enabling the config option). I also still feel solution 1 is acceptable since it only effects the (still experimental and stable masked) generic-uki. But I know Michal disagrees with me. |