Hi Joe, On Fri, Mar 10, 2023 at 07:16:38PM -0000, Joe Salmeri wrote:
Hi Joey,
On thing I don't understand about when lockdown was enabled.
According to this
https://man7.org/linux/man-pages/man7/kernel_lockdown.7.html
The Kernel Lockdown feature is enabled by CONFIG_SECURITY_LOCKDOWN_LSM.
grep CONFIG_SECURITY_LOCKDOWN /usr/lib/modules/*/config
Returns
/usr/lib/modules/6.1.8-1-default/config:CONFIG_SECURITY_LOCKDOWN_LSM=y /usr/lib/modules/6.1.8-1-default/config:CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y /usr/lib/modules/6.2.1-1-default/config:CONFIG_SECURITY_LOCKDOWN_LSM=y /usr/lib/modules/6.2.1-1-default/config:CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
So on this TW system both were set to 'y' in the 6.1.8 and 6.2.1 kernels.
Since the 6.1.8 kernel allowed the vmware modules ( which I didn't sign ) to load, it would appear that this kernel lockdown also changes some other configuration too.
What else was done when the kernel lockdown was enabled?
We set the following kernel config in TW/Leap/SLE kernels: CONFIG_LOCK_DOWN_KERNEL_FORCE_NONE=y CONFIG_LOCK_DOWN_KERNEL_FORCE_INTEGRITY is not set CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY is not set So, the default lockdown mode is NONE which means the lockdown is not active by default. The point is that we applied two downstream patches: patches.suse/0003-efi-Lock-down-the-kernel-if-booted-in-secure-boot-mode.patch patches.suse/0004-efi-Lock-down-the-kernel-at-the-integrity-level-if-b.patch The above patches link secure boot with lockdown function, and also set the default lockdown mode to integrity mode. Just like mok for modsign, almost all big distros are applied similar patches. Here is also the gap between maineline kernel with SUSE kernel. Kernel upstream think that the lockdown function is useful with or without secure boot. But from distros' view point, direct lockdown kernel will causses many userland application are blocked. So we need a switch to turn on/off it. Linking to EFI secure boot is a approach, because only machine owner can turn off secure boot by physical accessing. In terms of roles, it is stricter than the system admin. Another reason is almost all big distros' shim be signed by Microsoft. We don't want Microsoft revoke our shim or key when kernel is not lockdown. Regards Joey Lee