--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: linux-image-5.0.0-trunk-amd64: Please build with CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
- From: Darsey Litzenberger <dlitz@dlitz.net>
- Date: Sun, 26 May 2019 09:41:03 -0700
- Message-id: <155888886321.11831.16698569054524251943.reportbug@syra.dlitz.net>
Package: src:linux
Version: 5.0.2-1~exp1
Severity: severe
Please build Debian kernels with CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
enabled.
I have a laptop with UEFI Secure Boot support. I dual-boot Windows and
I also want to use Secure Boot to make sure that Debian kernels are
running. Beyond that, I'd like no restrictions on my own ability to
develop kernel modules without having to reboot to disable Secure Boot,
or having to build my own kernels with my own keys and also having to
figure out how to sign and load kernel modules just to fix bugs. (It
also seems dubious to be signing half-finished modules, which haven't
been vetted for security, during the development process.)
Currently, on systems with Secure Boot enabled, it is difficult or
impossible to build and load custom kernel modules without disabling
UEFI Secure Boot entirely.
The ostensible purpose of UEFI Secure boot is to prevent unsigned,
malicious bootloaders from subverting the operating system without the
end-user's awareness. It can also be used by hardware manufacturers to
lock down machines against users who wish to load their own kernel
modules, but that purpose is not compatible with Debian's Social
Contract ("4. Our priorities are our users and free software"), and
Debian should not be complicit in this.
IMO if Debian is shipping Secure Boot-compatibled signed kernels at all,
Debian must also provide end-users with the ability to load their own
kernel-mode code with Secure Boot enabled. shim, which is signed by
Microsoft, already allows users to load keys (and thus execute arbitrary
kernel-mode code) once the user has given their affirmative consent to
do so. Nothing should stop Debian from doing likewise, and that's what
the ALLOW_LOCKDOWN_LIFT_BY_SYSRQ config option does.
The upstream kernel maintainers have expressed opposition to tying UEFI
Secure Boot to lockdown mode in the first place, and much of the the
justification for supporting Secure Boot -> Lockdown in a FOSS kernel at
all has been that this sysrq key combination would be available to
users. Currently, this is not the case in Debian signed kernels.
Since buster reportedly will ship signed kernels, and since I believe
the status quo violates the Social Contract (and that it would be a
shame if buster shipped in a form that allowed Debian-signed kernels to
be used to help hardware manufacturers assert control over end-users
restrict users on their own hardware), I have marked this bug with a
release-critical severity.
-- Package-specific info:
** Version:
Linux version 5.0.0-trunk-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-3)) #1 SMP Debian 5.0.2-1~exp1 (2019-03-18)
** Model information
sys_vendor: LENOVO
product_name: 20MUCTO1WW
product_version: ThinkPad A485
chassis_vendor: LENOVO
chassis_version: None
bios_vendor: LENOVO
bios_version: R0WET48W (1.16 )
board_vendor: LENOVO
board_name: 20MUCTO1WW
board_version: SDK0J40697 WIN
** Loaded modules:
cpuid
ufs
qnx4
hfsplus
hfs
minix
ntfs
msdos
jfs
xfs
dm_snapshot
dm_bufio
cmac
rfcomm
bnep
vmw_vsock_vmci_transport
vsock
vmw_vmci
pci_stub
vboxpci(OE)
vboxnetadp(OE)
vboxnetflt(OE)
vboxdrv(OE)
ctr
ccm
devlink
nf_tables
nfnetlink
squashfs
overlay
cpufreq_userspace
cpufreq_powersave
cpufreq_conservative
edac_mce_amd
kvm_amd
ccp
kvm
binfmt_misc
btusb
btrtl
btbcm
uvcvideo
hid_multitouch
nls_ascii
btintel
nls_cp437
vfat
fat
bluetooth
videobuf2_vmalloc
videobuf2_memops
videobuf2_v4l2
videobuf2_common
videodev
media
drbg
ansi_cprng
ecdh_generic
irqbypass
joydev
efi_pstore
snd_hda_codec_realtek
snd_hda_codec_generic
arc4
snd_hda_codec_hdmi
bfq
efivars
serio_raw
r8822be(C)
snd_hda_intel
tpm_crb
sg
wmi_bmof
snd_hda_codec
k10temp
snd_hda_core
mac80211
snd_hwdep
sp5100_tco
thinkpad_acpi
snd_pcm
nvram
tpm_tis
snd_timer
ledtrig_audio
snd
ipmi_devintf
rtsx_pci_ms
tpm_tis_core
cfg80211
ipmi_msghandler
ucsi_acpi
typec_ucsi
soundcore
memstick
tpm
typec
rfkill
rng_core
ext4
ac
battery
crc16
mbcache
jbd2
crc32c_generic
fscrypto
pcc_cpufreq
evdev
ecb
acpi_cpufreq
loop
cuse
vmwgfx
fuse
parport_pc
ppdev
lp
parport
efivarfs
ip_tables
x_tables
autofs4
btrfs
zstd_decompress
zstd_compress
algif_skcipher
af_alg
hid_generic
usbhid
hid
dm_crypt
dm_mod
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
xor
raid6_pq
libcrc32c
raid1
raid0
multipath
linear
md_mod
sd_mod
crct10dif_pclmul
crc32_pclmul
crc32c_intel
rtsx_pci_sdmmc
ghash_clmulni_intel
mmc_core
amdgpu
aesni_intel
chash
gpu_sched
i2c_algo_bit
ahci
ttm
libahci
aes_x86_64
crypto_simd
cryptd
xhci_pci
drm_kms_helper
libata
glue_helper
ehci_pci
xhci_hcd
psmouse
ehci_hcd
drm
scsi_mod
usbcore
i2c_piix4
r8169
realtek
libphy
usb_common
rtsx_pci
wmi
video
i2c_scmi
button
-- System Information:
Debian Release: 10.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages linux-image-5.0.0-trunk-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.133
ii kmod 26-1
ii linux-base 4.6
Versions of packages linux-image-5.0.0-trunk-amd64 recommends:
ii apparmor 2.13.2-10
ii firmware-linux-free 3.4
ii irqbalance 1.5.0-4
Versions of packages linux-image-5.0.0-trunk-amd64 suggests:
pn debian-kernel-handbook <none>
ii extlinux 3:6.04~git20190206.bf6db5b4+dfsg1-1
ii grub-efi-amd64 2.02+dfsg1-18
pn linux-doc-5.0 <none>
Versions of packages linux-image-5.0.0-trunk-amd64 is related to:
ii firmware-amd-graphics 20190502-1
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
ii firmware-brcm80211 20190502-1
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
pn firmware-iwlwifi <none>
pn firmware-libertas <none>
ii firmware-linux-nonfree 20190502-1
ii firmware-misc-nonfree 20190502-1
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
ii firmware-realtek 20190502-1
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: linux
Source-Version: 4.19.37-4
We believe that the bug you reported is fixed in the latest version of
linux, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929583@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated linux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 17 Jun 2019 20:00:22 +0100
Source: linux
Architecture: source
Version: 4.19.37-4
Distribution: unstable
Urgency: high
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Closes: 929187 929366 929583
Changes:
linux (4.19.37-4) unstable; urgency=high
.
[ Ben Hutchings ]
* libbpf: Fix various build bugs:
- Drop unnecessary changes from "libbpf: add SONAME to shared object"
- libbpf: Use only 2 components in soversion, matching package name
(Closes: #929187)
- libbpf: Build out-of-tree
* README.source: Document the various makefiles and use of out-of-tree builds
* [x86] lockdown,sysrq: Enable ALLOW_LOCKDOWN_LIFT_BY_SYSRQ (Closes: #929583)
* mwifiex: Fix possible buffer overflows at parsing bss descriptor
(CVE-2019-3846)
* mwifiex: Abort at too short BSS descriptor element
* mwifiex: Don't abort on small, spec-compliant vendor IEs
* mm/mincore.c: make mincore() more conservative (CVE-2019-5489)
* mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()
(CVE-2019-10126)
* tcp: limit payload size of sacked skbs (CVE-2019-11477)
* tcp: tcp_fragment() should apply sane memory limits (CVE-2019-11478)
* tcp: add tcp_min_snd_mss sysctl (CVE-2019-11479)
* tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
.
[ Romain Perier ]
* [rt] Update to 4.19.37-rt20:
- powerpc/pseries/iommu: Use a locallock instead local_irq_save()
- powerpc: reshuffle TIF bits
- tty/sysrq: Convert show_lock to raw_spinlock_t
- drm/i915: Don't disable interrupts independently of the lock
- sched/completion: Fix a lockup in wait_for_completion()
.
[ Salvatore Bonaccorso ]
* brcmfmac: assure SSID length from firmware is limited (CVE-2019-9500)
* brcmfmac: add subtype check for event handling in data path
(CVE-2019-9503)
* ext4: zero out the unused memory region in the extent tree block
(CVE-2019-11833)
* Bluetooth: hidp: fix buffer overflow (CVE-2019-11884)
.
[ Aurelien Jarno ]
* [mips] Correctly bounds check virt_addr_valid (Closes: #929366)
.
[ John Paul Adrian Glaubitz ]
* [sparc64] udeb: Disable suffix for kernel-image
.
[ Alper Nebi Yasak ]
* udeb: input-modules: Include all keyboard driver modules
* [arm64] udeb: kernel-image: Include cros_ec_spi and SPI drivers
* [arm64] udeb: kernel-image: Include phy-rockchip-pcie
* [arm64] udeb: usb-modules: Include phy-rockchip-typec, extcon-usbc-cros-ec
* [arm64] udeb: mmc-modules: Include phy-rockchip-emmc
* [arm64] udeb: fb-modules: Include rockchipdrm, panel-simple, pwm_bl and
pwm-cros-ec
Checksums-Sha1:
dcf867c9dc110ea87230e9b58630970cfc9ee411 189124 linux_4.19.37-4.dsc
ded214f43499ae130f9ff7a2972fd7f494ca2568 1241912 linux_4.19.37-4.debian.tar.xz
9404c2b3d16287bb79b1efec7e87e2a5d073fd55 47317 linux_4.19.37-4_source.buildinfo
Checksums-Sha256:
dc1b500e98085b5a29c9d3e82daba1d9114e15a159033ae5f50f38a652cd9dc2 189124 linux_4.19.37-4.dsc
0c68371af4e95eb51af66020fc339fdbdef0c88dfbb6e087224e0515972efeec 1241912 linux_4.19.37-4.debian.tar.xz
e52e5a1d71abcf1259e8dc408c49b813a03c307104ca7aafeadbe63fdfea4e09 47317 linux_4.19.37-4_source.buildinfo
Files:
5b632121885d3906853df87d927bbe6f 189124 kernel optional linux_4.19.37-4.dsc
c076916392da0a3c3aa6f64b8c233323 1241912 kernel optional linux_4.19.37-4.debian.tar.xz
a4ee5796862e252bb0ed583edb892af9 47317 kernel optional linux_4.19.37-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEErCspvTSmr92z9o8157/I7JWGEQkFAl0Iv4AACgkQ57/I7JWG
EQnypA/9FGqDiPSxXbf1ipqOQ7WqsVCwo2m8Dim9XH29FbAnNmqXfyGJZAIpDuIF
opK0NlLXHT/3Tyw2gNlvoofIlk7kBbObLSMm42sBqnPFRpu4QN7U0vh/gfwkFEN6
yb0pjD6F0CbXlauV8eYsGrhg9HbYXYIDzEIcxdPfEgpE4eXx8LDWDU2Q292dHlDC
YYnxQurEypoUxHAMAhgcjcP6ay9M5fMrodC9XbcHzuF3j/iyO8aIu0rjctiyWH6O
LtbUfBhI2cA13+Fy7UVWnh8ahyYVbm8QEb3qXM0URU8oW9VEcRWWXsyM99N0duM2
LCXOpjsPO4kOo2hC7U2/MG/opAh0Lt/An9rnspGoHjV3pi1BljmfUkqT1JVQ7OoG
fSs9+zzjaushpm0yUxhzujc2ViUS/6OixP3pQojuTBgpgkELMgIUOnWj9Zjpt3gF
t8Ne7YGPrpJHKJUJG9TJbfJ77AQm8xR3AlshvTOH5SQGl3Kf8EemsMWpcHcETJbs
cRFELY/B1ug67Upvx+boOJLWPeoZV0pL6JqPj6s/K/YLDFuS2opKJx2HHy8R0rRy
lhEiHLZYw4MACyIce5ejYNQm7iBYRd9nnRMPu8wpg6DpmWoKtUUdv3co2B7REps7
46fgUY/q6wiP6/5zrVtYpA753f2LOmgttdGwUHC+OUlVAVyGcKQ=
=1jQi
-----END PGP SIGNATURE-----
--- End Message ---