Linux Lands Fix For A Trivial Lockdown Bypass Bug
The Linux Lockdown security module is used most often with UEFI Secure Boot but can be used outside of Secure Boot too if wanting to prevent Kexec'ing untrusted kernels. The Lockdown LSM was introduced a few years ago for preventing direct and indirect access to a running kernel image to fend off unauthorized/unintended modifications. The Lockdown mode aims to prevent against Kexec'ing into an alternate kernel, blocks access to interfaces like /dev/mem, and places other restrictions. Lockdown mode is used when running UEFI Secure Boot but also has use-cases outside of it.
Oracle engineers discovered that the lockdown mode can be easily bypassed if running in the IMA (Integrity Measurement Architecture) appraisal mode with the "ima_appraise=log" option. For those using the Lockdown LSM without Secure Boot active, it was found to be rather easy to defeat it:
To defeat lockdown, boot without Secure Boot and add ima_appraise=log to the kernel command line; then:
$ echo "integrity" > /sys/kernel/security/lockdown
$ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > /sys/kernel/security/ima/policy
$ kexec -ls unsigned-kernel
Easy as that. Fortunately, just a three line kernel patch can be used for addressing this lockdown bypass.
The patch was merged today to Linux 5.19 Git and is set to be back-ported to the kernel stable series. This bug has been present in Linux kernel builds since 2019.