I've requested a CVE for this issue. I wanted to provide some more context as other Linux distributions will likely be reading this bug report once the CVE assignment occurs.
This flaw is introduced by certain configuration options in combination with this out-of-tree patch from the Lockdown patchset: https://git.launchpad.net/~ubuntu- kernel/ubuntu/+source/linux/+git/cosmic/commit/?id=03c7de9e956395f3b36f86f89b62780ad9501eef We do not force module signatures (CONFIG_MODULE_SIG_FORCE=n), we enable IMA-appraise (CONFIG_IMA_APPRAISE=y), and we do not use the built-in IMA secure_boot policy snippet by default. Therefore, no signature verification is performed when a module is loaded via the finit_module(2) syscall. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1798863 Title: 18.10 kernel does not appear to validate kernel module signatures correctly Status in linux package in Ubuntu: In Progress Status in shim package in Ubuntu: Invalid Status in linux source package in Cosmic: In Progress Status in shim source package in Cosmic: Invalid Bug description: On a system with Ubuntu 18.10, with secure boot enabled, and a key enrolled in the MOK database, I am observing the following peculiar behaviors: * Signature verification appears to be disabled, and cannot be enabled again. It appeared to be enabled previously, as loading of unsigned modules was failing, and `mokutil --enable-validation` runs without incident; however, upon the next boot when attempting to confirm the change, MokManager prints an error message "Unable to delete Secure Boot state" after completing the password challenge. * As a result of signature verification being disabled, modules signed with untrusted keys taint the kernel instead of failing to load outright. * Regardless of signature verification being enabled or not, it seems that the key enrolled in the MOK is not being used for validating kernel module signatures. Modules signed with the key still fail the signature verification test and taint the kernel, even though the key is visible in the output of `mokutil --list-enrolled`, and testing the key with `mokutil --test-key` shows that it's enrolled. Also, a message acknowledging the key appears in dmesg: Loaded UEFI:MokListRT cert 'nvidia-installer generated signing key: 90c957eb56dfb04d8734d54fb614ef5af6c69318' linked to secondary sys keyring * Also, somewhat strangely, in this state with module signature verification not being enforced, attempting to load a completely unsigned kernel module suceeds, and doesn't even log a kernel message about a missing/invalid signature, or taint the kernel. Apport report attached, which includes dmesg log showing the kernel acknowledging the key enrolled in the MOK database, and a signature verification failure and subsequent successful loading of a module signed with that key: [ 4.234093] Loaded UEFI:MokListRT cert 'nvidia-installer generated signing key: 90c957eb56dfb04d8734d54fb614ef5af6c69318' linked to secondary sys keyring ... [ 6.628452] nvidia: module verification failed: signature and/or required key missing - tainting kernel ... [ 6.637252] nvidia-nvlink: Nvlink Core is being initialized, major device number 238 [ 6.637507] nvidia 0000:01:00.0: enabling device (0006 -> 0007) [ 6.637620] nvidia 0000:01:00.0: vgaarb: changed VGA decodes: olddecodes=io+mem,decodes=none:owns=none [ 6.737216] NVRM: loading NVIDIA UNIX x86_64 Kernel Module 410.66 Wed Oct 10 12:01:53 CDT 2018 (using threaded interrupts) This system dual-boots Ubuntu 18.04 and Ubuntu 18.10: when booted into Ubuntu 18.04, signatures made with the same key are recognized as valid. Hence, I suspect that something changed in the Ubuntu 18.10 kernel which is causing signature verification to function in an unexpected way. --- ProblemType: Bug ApportVersion: 2.20.10-0ubuntu13 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC0: danix 1729 F.... pulseaudio DistroRelease: Ubuntu 18.10 InstallationDate: Installed on 2018-10-23 (0 days ago) InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3) NonfreeKernelModules: nvidia_uvm nvidia Package: linux (not installed) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.18.0-10-generic root=/dev/mapper/ubuntu--vg-root ro quiet splash nouveau.modeset=0 ProcVersionSignature: Ubuntu 4.18.0-10.11-generic 4.18.12 RelatedPackageVersions: linux-restricted-modules-4.18.0-10-generic N/A linux-backports-modules-4.18.0-10-generic N/A linux-firmware 1.175 Tags: cosmic Uname: Linux 4.18.0-10-generic x86_64 UnreportableReason: This report is about a package that is not installed. UpgradeStatus: No upgrade log present (probably fresh install) UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo _MarkForUpload: False dmi.bios.date: 03/20/2018 dmi.bios.vendor: HP dmi.bios.version: P70 Ver. 01.18 dmi.board.name: 8270 dmi.board.vendor: HP dmi.board.version: KBC Version 46.67 dmi.chassis.type: 10 dmi.chassis.vendor: HP dmi.modalias: dmi:bvnHP:bvrP70Ver.01.18:bd03/20/2018:svnHP:pn:pvr:rvnHP:rn8270:rvrKBCVersion46.67:cvnHP:ct10:cvr: dmi.product.family: 103C_5336AN HP ZBook dmi.sys.vendor: HP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1798863/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
