On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases. Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Confirmed, TW20241213 with kernel-default-6.12.4-1.1.g16f6531.x86_64 from Kernel:stable has: $ cat /sys/kernel/security/lockdown [none] integrity confidentiality
Hi Andrei, On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet. Regards Joey Lee
On Mon, Dec 16, 2024 at 11:38:04PM +0800, joeyli wrote:
Hi Andrei,
On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet.
I compared the boot sequence of kernel betewwn v6.11 with v6.12. Looks that the timing of lockdown_lsm_init be moved: stable 6.11.9 [ 0.000000] [ T0] Linux version 6.11.9-default (joeyli@linux-691t) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Tue Dec 17 13:33:50 CST 2024 [ 0.000000] [ T0] lockdown_lsm_init <-- lockdown LSM be initial very early ... [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- secure boot lock down here, in setup_arch() [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 stable 6.12 [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 <-- try secure boot lock down here ... [ 0.011467] [ T0] setup_arch() init_mem_mapping() end ... [ 0.023059] [ T0] setup_arch() end [ 0.023061] [ T0] lockdown_lsm_init <-- lockdown LSM initial be moved to after setup_arch() I don't know why. Joey Lee
On Tue, Dec 17, 2024 at 9:00 AM joeyli <jlee@suse.com> wrote:
On Mon, Dec 16, 2024 at 11:38:04PM +0800, joeyli wrote:
Hi Andrei,
On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet.
I compared the boot sequence of kernel betewwn v6.11 with v6.12. Looks that the timing of lockdown_lsm_init be moved:
stable 6.11.9
[ 0.000000] [ T0] Linux version 6.11.9-default (joeyli@linux-691t) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Tue Dec 17 13:33:50 CST 2024 [ 0.000000] [ T0] lockdown_lsm_init <-- lockdown LSM be initial very early ... [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- secure boot lock down here, in setup_arch() [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0
stable 6.12 [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 <-- try secure boot lock down here ... [ 0.011467] [ T0] setup_arch() init_mem_mapping() end ... [ 0.023059] [ T0] setup_arch() end [ 0.023061] [ T0] lockdown_lsm_init <-- lockdown LSM initial be moved to after setup_arch()
I don't know why.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/in... init/main.c: Initialize early LSMs after arch code, static keys and calls.
On Tue, Dec 17, 2024 at 09:41:59AM +0300, Andrei Borzenkov wrote:
On Tue, Dec 17, 2024 at 9:00 AM joeyli <jlee@suse.com> wrote:
On Mon, Dec 16, 2024 at 11:38:04PM +0800, joeyli wrote:
Hi Andrei,
On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet.
I compared the boot sequence of kernel betewwn v6.11 with v6.12. Looks that the timing of lockdown_lsm_init be moved:
stable 6.11.9
[ 0.000000] [ T0] Linux version 6.11.9-default (joeyli@linux-691t) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Tue Dec 17 13:33:50 CST 2024 [ 0.000000] [ T0] lockdown_lsm_init <-- lockdown LSM be initial very early ... [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- secure boot lock down here, in setup_arch() [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0
stable 6.12 [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 <-- try secure boot lock down here ... [ 0.011467] [ T0] setup_arch() init_mem_mapping() end ... [ 0.023059] [ T0] setup_arch() end [ 0.023061] [ T0] lockdown_lsm_init <-- lockdown LSM initial be moved to after setup_arch()
I don't know why.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/in...
init/main.c: Initialize early LSMs after arch code, static keys and calls.
Thanks for pointing it out! I am finding a new place for calling lockdown when secure boot is eanbled. Joey Lee
On 17. 12. 24, 9:18, joeyli wrote:
On Tue, Dec 17, 2024 at 09:41:59AM +0300, Andrei Borzenkov wrote:
On Tue, Dec 17, 2024 at 9:00 AM joeyli <jlee@suse.com> wrote:
On Mon, Dec 16, 2024 at 11:38:04PM +0800, joeyli wrote:
Hi Andrei,
On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet.
I compared the boot sequence of kernel betewwn v6.11 with v6.12. Looks that the timing of lockdown_lsm_init be moved:
stable 6.11.9
[ 0.000000] [ T0] Linux version 6.11.9-default (joeyli@linux-691t) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Tue Dec 17 13:33:50 CST 2024 [ 0.000000] [ T0] lockdown_lsm_init <-- lockdown LSM be initial very early ... [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- secure boot lock down here, in setup_arch() [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0
stable 6.12 [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 <-- try secure boot lock down here ... [ 0.011467] [ T0] setup_arch() init_mem_mapping() end ... [ 0.023059] [ T0] setup_arch() end [ 0.023061] [ T0] lockdown_lsm_init <-- lockdown LSM initial be moved to after setup_arch()
I don't know why.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/in...
init/main.c: Initialize early LSMs after arch code, static keys and calls.
Thanks for pointing it out!
I am finding a new place for calling lockdown when secure boot is eanbled.
@Andrei: could you create a bug (and ideally assign to joey and cc me), so that we can track/reference this properly? thanks, -- js suse labs
On Tue, Dec 17, 2024 at 11:41 AM Jiri Slaby <jslaby@suse.cz> wrote:
On 17. 12. 24, 9:18, joeyli wrote:
On Tue, Dec 17, 2024 at 09:41:59AM +0300, Andrei Borzenkov wrote:
On Tue, Dec 17, 2024 at 9:00 AM joeyli <jlee@suse.com> wrote:
On Mon, Dec 16, 2024 at 11:38:04PM +0800, joeyli wrote:
Hi Andrei,
On Sat, Dec 14, 2024 at 10:09:34AM +0300, Andrei Borzenkov wrote:
On the very same system Tumbleweed kernel boots with lockdown enabled while kernel-default from kernel:Stable (currently 6.12.4) boots with lockdown disabled. I do not see any difference in options, LOCK_DOWN_IN_EFI_SECURE_BOOT is set in both cases.
Is it intentional? What option controls it if not LOCK_DOWN_IN_EFI_SECURE_BOOT?
Looks that the lock_kernel_down() not be called when booting. But I didn't find root cause yet.
I compared the boot sequence of kernel betewwn v6.11 with v6.12. Looks that the timing of lockdown_lsm_init be moved:
stable 6.11.9
[ 0.000000] [ T0] Linux version 6.11.9-default (joeyli@linux-691t) (gcc (SUSE Linux) 7.5.0, GNU ld (GNU Binutils; SUSE Linux Enterprise 15) 2.41.0.20230908-150100.7.46) #1 SMP PREEMPT_DYNAMIC Tue Dec 17 13:33:50 CST 2024 [ 0.000000] [ T0] lockdown_lsm_init <-- lockdown LSM be initial very early ... [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7 <-- secure boot lock down here, in setup_arch() [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0
stable 6.12 [ 0.000000] [ T0] secureboot: Secure boot enabled [ 0.000000] [ T0] CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT [ 0.000000] [ T0] LSM: security_lock_kernel_down, ret:0 <-- try secure boot lock down here ... [ 0.011467] [ T0] setup_arch() init_mem_mapping() end ... [ 0.023059] [ T0] setup_arch() end [ 0.023061] [ T0] lockdown_lsm_init <-- lockdown LSM initial be moved to after setup_arch()
I don't know why.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/in...
init/main.c: Initialize early LSMs after arch code, static keys and calls.
Thanks for pointing it out!
I am finding a new place for calling lockdown when secure boot is eanbled.
@Andrei: could you create a bug (and ideally assign to joey and cc me), so that we can track/reference this properly?
participants (4)
-
Andrei Borzenkov -
Frank Krüger -
Jiri Slaby -
joeyli