In the core Linux A vulnerability (CVE-2022-21505) has been identified that allows for easy bypass of the Lockdown protection mechanism, which restricts root user access to the kernel and blocks UEFI Secure Boot bypasses. The proposed bypass involves using the IMA (Integrity Measurement Architecture) kernel subsystem, which is designed to verify the integrity of operating system components using digital signatures and hashes.
Lockdown restricts access to /dev/mem, /dev/kmem, /dev/port, /proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Card Information Structure), some ACPI interfaces, and CPU MSRs, blocking kexec_file and kexec_load calls, preventing sleep mode, restricting DMA usage for PCI devices, preventing importing ACPI code from EFI variables, preventing I/O port manipulation, including changing the interrupt number and port I/O for the serial port.
The essence of the vulnerability is that when using the boot parameter "ima_appraise=log", it is allowed to call kexec to load a new copy of the kernel if the Secure Boot mode is not active in the system and the Lockdown mode is used separately from it. IMA does not allow the "ima_appraise" mode to be enabled when Secure Boot is active, but does not take into account the possibility of using Lockdown separately from Secure Boot.
Source: opennet.ru
