Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 15 Oct 2015 12:33:11 -0400 (EDT)
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request - Linux kernel -
 securelevel/secureboot bypass.

Apologies, I hadn't turned made the bug public. It is now.

Sorry for any confusion.



----- Original Message -----
From: "Wade Mealing" <wmealing@...hat.com>
To: cve-assign@...re.org
Cc: oss-security@...ts.openwall.com
Sent: Thursday, 15 October, 2015 4:35:02 PM
Subject: [oss-security] CVE Request - Linux kernel - securelevel/secureboot bypass.

Gday,

I'm like to request a CVE for the following issue (paraphrasing Linn Crosetto):

-----

When the kernel was booted with UEFI Secure Boot enabled, securelevel is set. If kexec (either through crash or admin action) is then used to load the same kernel, after reboot securelevel is disabled. In this state, the system is missing the protections provided by securelevel, for example kexec may be used to load an unsigned kernel via the legacy system call kexec_load.

In the securelevel patchset, the state of UEFI Secure Boot is queried in the EFI stub, and sets a boot_params flag to indicate the state of UEFI Secure Boot. This flag is then used in setup_arch() to determine the correct state of securelevel. If the kernel is not booted via the EFI stub, securelevel is not set even if UEFI Secure Boot is enabled.

-----

TLDR: this allows a bypass the security mechanism of securelevel/secureboot combination.

This patchset affects Red Hat specific kernels as secureboot is not fully fully implemented upstream yet.

Thanks,

Wade Mealing
Red Hat Product Security team


References:
Patch: https://bugzilla.redhat.com/show_bug.cgi?id=1243998#c3
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1243998

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ