Feature #17493
Check what to do wrt. kernel lockdown
0%
Description
What’s the default in Debian?
Can/should we configure this in a stricter way?
Subtasks
Related issues
Blocked by Tails - Feature #17495: Run most of our test suite with Secure Boot enabled | Confirmed |
History
#1 Updated by cypherpunks 2020-02-23 00:48:18
The default is likely disabled. It can be enabled at its strictest with the `lockdown=confidentiality` boot parameter.
#2 Updated by intrigeri 2020-04-24 08:32:30
- Description updated
#3 Updated by intrigeri 2020-04-24 08:43:42
On my sid system, with 5.5.0-2-amd64 (5.5.17-1), booted in UEFI (without Secure Boot, FWIW), kernel lockdown is disabled:
# cat /sys/kernel/security/lockdown
[none] integrity confidentiality
And indeed, in the kernel config file I see than none of the LOCK_DOWN_KERNEL_FORCE_*
options are set, so the default LOCK_DOWN_KERNEL_FORCE_NONE
is used.
Next step: run our test suite on a Tails image that adds the lockdown=confidentiality
boot option; if that breaks stuff, retry with lockdown=integrity
.
#4 Updated by intrigeri 2020-05-01 07:21:16
See also https://bugs.debian.org/956197
#5 Updated by intrigeri 2020-05-04 13:46:24
- related to Feature #17495: Run most of our test suite with Secure Boot enabled added
#6 Updated by intrigeri 2020-05-04 13:48:35
When Secure Boot is enabled on linux-image-5.5.0-2-amd64
5.5.17-1, the default lockdown level is “integrity” and it’s impossible to disable it; it’s only possible to raise it to “confidentiality”.
Note that at this point, we have no idea whether the “integrity” level breaks stuff: Feature #17495 would help answer that. So IMO we lack a baseline to consider raising the lockdown level.
#7 Updated by intrigeri 2020-05-04 13:49:48
- related to deleted (
Feature #17495: Run most of our test suite with Secure Boot enabled)
#8 Updated by intrigeri 2020-05-04 13:50:03
- blocked by Feature #17495: Run most of our test suite with Secure Boot enabled added