Feature #17493

Check what to do wrt. kernel lockdown

Added by intrigeri 2020-02-22 09:32:52 . Updated 2020-05-04 13:48:35 .

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
Deliverable for:


Subtasks


Related issues

Blocked by Tails - Feature #17495: Run most of our test suite with Secure Boot enabled Confirmed

History

#1 Updated by cypherpunks 2020-02-23 00:48:18

The default is likely disabled. It can be enabled at its strictest with the `lockdown=confidentiality` boot parameter.

#2 Updated by intrigeri 2020-04-24 08:32:30

  • Description updated

#3 Updated by intrigeri 2020-04-24 08:43:42

On my sid system, with 5.5.0-2-amd64 (5.5.17-1), booted in UEFI (without Secure Boot, FWIW), kernel lockdown is disabled:

# cat /sys/kernel/security/lockdown
[none] integrity confidentiality

And indeed, in the kernel config file I see than none of the LOCK_DOWN_KERNEL_FORCE_* options are set, so the default LOCK_DOWN_KERNEL_FORCE_NONE is used.

Next step: run our test suite on a Tails image that adds the lockdown=confidentiality boot option; if that breaks stuff, retry with lockdown=integrity.

#5 Updated by intrigeri 2020-05-04 13:46:24

  • related to Feature #17495: Run most of our test suite with Secure Boot enabled added

#6 Updated by intrigeri 2020-05-04 13:48:35

When Secure Boot is enabled on linux-image-5.5.0-2-amd64 5.5.17-1, the default lockdown level is “integrity” and it’s impossible to disable it; it’s only possible to raise it to “confidentiality”.

Note that at this point, we have no idea whether the “integrity” level breaks stuff: Feature #17495 would help answer that. So IMO we lack a baseline to consider raising the lockdown level.

#7 Updated by intrigeri 2020-05-04 13:49:48

  • related to deleted (Feature #17495: Run most of our test suite with Secure Boot enabled)

#8 Updated by intrigeri 2020-05-04 13:50:03

  • blocked by Feature #17495: Run most of our test suite with Secure Boot enabled added