[Bug translator/25579] New: detect kernel lockdown/secureboot in effect

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug translator/25579] New: detect kernel lockdown/secureboot in effect

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25579

            Bug ID: 25579
           Summary: detect kernel lockdown/secureboot in effect
           Product: systemtap
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: translator
          Assignee: systemtap at sourceware dot org
          Reporter: fche at redhat dot com
  Target Milestone: ---

https://bugzilla.redhat.com/show_bug.cgi?id=1638874 indicates modern kernels
activate a lockdown mode for kernels running under secureboot-enforcing mode,
which may prevent normal stap modules from loading/running.  Once the kernel
exposes this state to unprivileged stap, we'll need to adopt the translator to
invoke the secureboot-signing mode implicitly.  This logic is in the
systemtap_session::modules_must_be_signed() function.

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug translator/25579] detect kernel lockdown/secureboot in effect

glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25579

Frank Ch. Eigler <fche at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |25580


Referenced Bugs:

https://sourceware.org/bugzilla/show_bug.cgi?id=25580
[Bug 25580] lp tracker
--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug translator/25579] detect kernel lockdown/secureboot in effect

Sourceware - systemtap mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25579

--- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> ---
until the kernel exposes that info, here is how it can be found as of 5.5ish:

# sudo cat /sys/kernel/security/lockdown
[none] integrity confidentiality

--
You are receiving this mail because:
You are the assignee for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug translator/25579] detect kernel lockdown/secureboot in effect

Sourceware - systemtap mailing list
In reply to this post by glaubitz at physik dot fu-berlin.de
https://sourceware.org/bugzilla/show_bug.cgi?id=25579

Frank Ch. Eigler <fche at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Frank Ch. Eigler <fche at redhat dot com> ---
commit bef690b0e502

The kernel-side procfs file is not yet world-readable, but will be.
This is still useful for # sudo stap ... type use cases.

--
You are receiving this mail because:
You are the assignee for the bug.