Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

[Andrew Lutomirski]

[Removed Fedora devel list because it's subscriber-only]

> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@gmail.com> wrote:
>
> Probably a good idea to cc: this to the kernel list :-)
>
> I suspect it's intentional but with the planned changes for iptables
> etc to be backed by bpf in the upstream kernel sometime in the future
> it's likely going to need to be reviewed.
>

I thought this got covered in review. I think this part of lockdown
needs to get reverted or fixed ASAP.

(I definitely brought up multiple issues with the bpf lockdown stuff.
It's clearly extremely broken right now in the "new kernel breaks
*current* Linux distro" sense.)

> Peter
>
>> On Tue, Aug 7, 2018 at 10:25 PM, Timothée Ravier <tim@siosm.fr> wrote:
>> Booting Fedora with Secure Boot enabled will result in Lockdown being enabled at boot time. This will completly disable the BPF system call for all users [1][2].
>>
>> Unfortunately, this breaks the IPAddressAllow & IPAddressDeny systemd feature [3][4][5].
>>
>> I don't have a solution for this, but as far as I understand, this will also prevent other BPF use-cases (for example: Cilium on Fedora CoreOS).
>>
>> [1] https://src.fedoraproject.org/rpms/kernel/blob/master/f/efi-lockdown.patch#_1525
>> [2] https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?h=lockdown&id=0eb0d0851747787f7182b3e9d0d38edb5925a678
>> [3] https://github.com/systemd/systemd/blob/master/src/core/bpf-firewall.c
>> [4] https://github.com/systemd/systemd/blob/master/NEWS#L1192
>> [5] https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#IPAddressAllow=ADDRESS%5B/PREFIXLENGTH%5D%E2%80%A6
>> _______________________________________________
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-leave@lists.fedoraproject.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/ZMEWJMQH6DDMV3AZ4IG7LOYMMIETCH42/
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/RUWDEDQHS5I47YBPEZVEKXNU2BAX2SLU/

Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

[Alexei Starovoitov]

On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:
> [Removed Fedora devel list because it's subscriber-only]
> 
> > On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@gmail.com> wrote:
> >
> > Probably a good idea to cc: this to the kernel list :-)
> >
> > I suspect it's intentional but with the planned changes for iptables
> > etc to be backed by bpf in the upstream kernel sometime in the future
> > it's likely going to need to be reviewed.
> >
> 
> I thought this got covered in review. I think this part of lockdown
> needs to get reverted or fixed ASAP.

I don't see lockdown in Linus's tree. Is this fedora only issue?

> (I definitely brought up multiple issues with the bpf lockdown stuff.
> It's clearly extremely broken right now in the "new kernel breaks
> *current* Linux distro" sense.)

+1

Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

[Laura Abbott]

On 08/15/2018 07:10 PM, Alexei Starovoitov wrote:
> On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:
>> [Removed Fedora devel list because it's subscriber-only]
>>
>>> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@gmail.com> wrote:
>>>
>>> Probably a good idea to cc: this to the kernel list :-)
>>>
>>> I suspect it's intentional but with the planned changes for iptables
>>> etc to be backed by bpf in the upstream kernel sometime in the future
>>> it's likely going to need to be reviewed.
>>>
>>
>> I thought this got covered in review. I think this part of lockdown
>> needs to get reverted or fixed ASAP.
> 
> I don't see lockdown in Linus's tree. Is this fedora only issue?
> 

The entire lockdown/secure boot series is out of tree at the moment.
We're working to get it included.  If you search LWN, you
can find some articles explaining the long saga of the patch series.

>> (I definitely brought up multiple issues with the bpf lockdown stuff.
>> It's clearly extremely broken right now in the "new kernel breaks
>> *current* Linux distro" sense.)
> 
> +1
> 

Yes, we need to review what exactly is in Fedora. It's the merge
window so this is a good time to do that anyway. We're still
playing catch up after Flock in Dresden last week. Can you file
a bugzilla for tracking so we don't forget?

Thanks,
Laura

Re: Kernel lockdown patch & IPAddressAllow/IPAddressDeny systemd feature with Secure Boot

[Justin Forbes]

On Thu, Aug 16, 2018 at 8:36 AM, Laura Abbott <labbott@redhat.com> wrote:

> On 08/15/2018 07:10 PM, Alexei Starovoitov wrote:
>
>> On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote:
>>
>>> [Removed Fedora devel list because it's subscriber-only]
>>>
>>> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@gmail.com>
>>>> wrote:
>>>>
>>>> Probably a good idea to cc: this to the kernel list :-)
>>>>
>>>> I suspect it's intentional but with the planned changes for iptables
>>>> etc to be backed by bpf in the upstream kernel sometime in the future
>>>> it's likely going to need to be reviewed.
>>>>
>>>>
>>> I thought this got covered in review. I think this part of lockdown
>>> needs to get reverted or fixed ASAP.
>>>
>>
>> I don't see lockdown in Linus's tree. Is this fedora only issue?
>>
>>
> The entire lockdown/secure boot series is out of tree at the moment.
> We're working to get it included.  If you search LWN, you
> can find some articles explaining the long saga of the patch series.
>
> (I definitely brought up multiple issues with the bpf lockdown stuff.
>>> It's clearly extremely broken right now in the "new kernel breaks
>>> *current* Linux distro" sense.)
>>>
>>
>> +1
>>
>>
> Yes, we need to review what exactly is in Fedora. It's the merge
> window so this is a good time to do that anyway. We're still
> playing catch up after Flock in Dresden last week. Can you file
> a bugzilla for tracking so we don't forget?
>
> I typically do a review after every major release before we rebase stable
distributions. This is on my list of things to rectify in the next week.

It really would be nice if we could get some of the agreed upon lockdown
pieces upstream. I don't care if it is tied to secure boot, in fact it does
make sense to have the capability outside of secure boot and it is much
easier to carry a single patch to simply turn on lockdown based on UEFI
secure boot than having to carry the entire lockdown series.

Justin
_______________________________________________
kernel mailing list -- kernel@lists.fedoraproject.org
To unsubscribe send an email to kernel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org/message/LXIV6L6U6XFHDLNXHSLM4M22RF2NFNM4/