Public bug reported: Impact: The lockdown patches have evolved over time, and part of this was restricting more areas of the kernel. Not all of these additions were backported, and some can lead to lockdown bypasses, see [1] and [2].
Fix: Backport newer lockdown restrictions to older releases. Test Case: Test cases for most of the backports can be found at [3], and [4] is another test case. Some which need e.g. specific hardware to test have not been tested. Regression Potential: Most of these are small, simple fixes with low potential for regression. Users may also lose access to some functionality previously accissible under secure boot. Some changes are more substantial, especially the hw_param changes for xenial, but they are based on well-tested upstream code. The xmon backports also carry a more moderate risk of regression. [1] https://lists.ubuntu.com/archives/kernel-team/2020-June/111050.html [2] https://lore.kernel.org/lkml/20200615104332.901519-1-ja...@zx2c4.com/ [3] https://git.launchpad.net/~sforshee/+git/lockdown-tests [4] https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh ** Affects: linux (Ubuntu) Importance: Critical Assignee: Seth Forshee (sforshee) Status: Fix Committed ** Affects: linux (Ubuntu Xenial) Importance: Critical Assignee: Seth Forshee (sforshee) Status: In Progress ** Affects: linux (Ubuntu Bionic) Importance: Critical Assignee: Seth Forshee (sforshee) Status: In Progress ** Affects: linux (Ubuntu Eoan) Importance: Critical Assignee: Seth Forshee (sforshee) Status: In Progress ** Affects: linux (Ubuntu Focal) Importance: Critical Assignee: Seth Forshee (sforshee) Status: In Progress ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Xenial) Status: New => In Progress ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Seth Forshee (sforshee) ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Seth Forshee (sforshee) ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Eoan) Status: New => In Progress ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Seth Forshee (sforshee) ** Changed in: linux (Ubuntu Focal) Importance: Undecided => Critical ** Changed in: linux (Ubuntu Focal) Status: New => In Progress ** Changed in: linux (Ubuntu Focal) Assignee: (unassigned) => Seth Forshee (sforshee) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1884159 Title: Update lockdown patches Status in linux package in Ubuntu: Fix Committed Status in linux source package in Xenial: In Progress Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: In Progress Status in linux source package in Focal: In Progress Bug description: Impact: The lockdown patches have evolved over time, and part of this was restricting more areas of the kernel. Not all of these additions were backported, and some can lead to lockdown bypasses, see [1] and [2]. Fix: Backport newer lockdown restrictions to older releases. Test Case: Test cases for most of the backports can be found at [3], and [4] is another test case. Some which need e.g. specific hardware to test have not been tested. Regression Potential: Most of these are small, simple fixes with low potential for regression. Users may also lose access to some functionality previously accissible under secure boot. Some changes are more substantial, especially the hw_param changes for xenial, but they are based on well-tested upstream code. The xmon backports also carry a more moderate risk of regression. [1] https://lists.ubuntu.com/archives/kernel-team/2020-June/111050.html [2] https://lore.kernel.org/lkml/20200615104332.901519-1-ja...@zx2c4.com/ [3] https://git.launchpad.net/~sforshee/+git/lockdown-tests [4] https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language.sh To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1884159/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
