Linux Lands Fix For A Trivial Lockdown Bypass Bug

Written by Michael Larabel in Linux Security on 20 July 2022 at 06:29 PM EDT. 7 Comments
Merged this afternoon to the mainline Linux 5.19 Git kernel and set for back-porting is a fix for a new security bug. Oracle made public CVE-2022-21505 on Tuesday as a trivial bypass to the Linux kernel's lockdown mode.

The Linux Lockdown security module is used most often with UEFI Secure Boot but can be used outside of Secure Boot too if wanting to prevent Kexec'ing untrusted kernels. The Lockdown LSM was introduced a few years ago for preventing direct and indirect access to a running kernel image to fend off unauthorized/unintended modifications. The Lockdown mode aims to prevent against Kexec'ing into an alternate kernel, blocks access to interfaces like /dev/mem, and places other restrictions. Lockdown mode is used when running UEFI Secure Boot but also has use-cases outside of it.

Oracle engineers discovered that the lockdown mode can be easily bypassed if running in the IMA (Integrity Measurement Architecture) appraisal mode with the "ima_appraise=log" option. For those using the Lockdown LSM without Secure Boot active, it was found to be rather easy to defeat it:
To defeat lockdown, boot without Secure Boot and add ima_appraise=log to the kernel command line; then:

$ echo "integrity" > /sys/kernel/security/lockdown
$ echo "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig" > /sys/kernel/security/ima/policy
$ kexec -ls unsigned-kernel

Easy as that. Fortunately, just a three line kernel patch can be used for addressing this lockdown bypass.

The patch was merged today to Linux 5.19 Git and is set to be back-ported to the kernel stable series. This bug has been present in Linux kernel builds since 2019.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via

Popular News This Week