Ubuntu 18.04's Heavily Patched Kernel Opens Door To Lockdown Bypass, Breaks Secure Boot

With Ubuntu 18.04 when running on its Linux 4.15 kernel and not one of the newer hardware enablement kernels, in the mess of patches back-ported to the release it ends up being vulnerable to bypassing the kernel lockdown security and compromising UEFI Secure Boot that is persistent across reboots.

WireGuard lead developer Jason Donenfeld discovered a security issue with the Ubuntu 18.04 default kernel. The current kernel is not protecting the SSDT EFI entry point and that can lead to injecting ACPI tables and subsequently loading unsigned kernel drivers into the system even with UEFI Secure Boot enabled. A proof-of-concept attack disables KASLR address space layout randomization in the process and also survives kernel reboots.

Donenfeld published the PoC attack for illustrating this kernel flaw.

At this time it appears only Ubuntu 18.04's kernel is impacted and not the upstream kernel or other distribution kernels. Ubuntu 18.04 backports a lot to its kernel given the Long Term Support status. In this case it appears that the Ubuntu kernel team missed out on back-porting at least one patch to their kernel that could have avoided this vulnerability.

Back in August 2019 was this patch restricting the efivar_ssdt_setup access when the kernel is running in its locked down mode. The patch explains the importance of restricting the access as well, "efivar_ssdt_load allows the kernel to import arbitrary ACPI code from an EFI variable, which gives arbitrary code execution in ring 0. Prevent that when the kernel is locked down." Presumably it will soon be picked up by Ubuntu 18.04 for avoiding this vulnerability.