------- Comment From <email address hidden> 2020-04-06 11:28 EDT-------
I tested the ppa kernel patch which links secureboot with lockdown.
When secureboot is disabled:
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown
[none] integrity confidentiality
When secureboot is enabled:
ubuntu@ltc-wspoon13:~$ sudo cat /sys/kernel/security/lockdown
none [integrity] confidentiality
It does move to integrity lockdown mode.
Daniel helped with testing the lockdown functionality itself in secureboot enabled state.
Here are his test results:
xmon is in read-only mode.
54:mon> ls is_ppc_secureboot_enabled
is_ppc_secureboot_enabled: c000000000085430
54:mon> b c000000000085430
Operation disabled: xmon in read-only mode
54:mon>
/dev/mem is blocked:
root@ltc-wspoon13:/boot# cat /dev/mem
cat: /dev/mem: Operation not permitted
root@ltc-wspoon13:/boot# dmesg|tail
...
[ 991.917345] Lockdown: cat: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
He also ensured that kexec load is disabled and can boot successfully to a signed kernel if the key is present in the keyring.
Thank Daniel for the linking patch between secureboot and lockdown. And also for the quick testing of lockdown itself.
Thanks to Canonical team for respining the kernel with the updated patch from Daniel.
Thanks to Michael for his support throughout this work.
------- Comment From <email address hidden> 2020-04-06 11:28 EDT-------
I tested the ppa kernel patch which links secureboot with lockdown.
When secureboot is disabled: ltc-wspoon13: ~$ sudo cat /sys/kernel/ security/ lockdown
ubuntu@
[none] integrity confidentiality
When secureboot is enabled: ltc-wspoon13: ~$ sudo cat /sys/kernel/ security/ lockdown
ubuntu@
none [integrity] confidentiality
It does move to integrity lockdown mode.
Daniel helped with testing the lockdown functionality itself in secureboot enabled state.
Here are his test results:
xmon is in read-only mode.
54:mon> ls is_ppc_ secureboot_ enabled secureboot_ enabled: c000000000085430
is_ppc_
54:mon> b c000000000085430
Operation disabled: xmon in read-only mode
54:mon>
/dev/mem is blocked: wspoon13: /boot# cat /dev/mem wspoon13: /boot# dmesg|tail
root@ltc-
cat: /dev/mem: Operation not permitted
root@ltc-
...
[ 991.917345] Lockdown: cat: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
He also ensured that kexec load is disabled and can boot successfully to a signed kernel if the key is present in the keyring.
Thank Daniel for the linking patch between secureboot and lockdown. And also for the quick testing of lockdown itself.
Thanks to Canonical team for respining the kernel with the updated patch from Daniel.
Thanks to Michael for his support throughout this work.
Thanks & Regards,
- Nayna