Communication of publicly known security issues

Security layman here. Kernel 6.12 is shipping with security issue
2333706 – Kernel 6.12.6 kernel lockdown disabled, which causes the
kernel to run with lockdown disabled. Imho this is a serious issue,
because it increases the potential damage privilege escalations can
do. The workaround is easy, enable lockdown on the kernel command
line.

The issue is public. But despite being public, issue and workaround
are hard to find on Fedora sites. There is no security announcement on
Fedora Discussions, no post in Common Issues, no post pinned in Ask
Fedora. It’s great to read about flatpak apps on Fedora
Magazine. Wouldn’t it be also great to read “Please consider securing
your kernel” on some Fedora site?

As most people here are volunteers, feel free to jump in and provide security noobs like me with the easy fix.

If you want to write an article for Fedora Magazine, you can do so on this site Fedora Magazine - Fedora Discussion

1 Like

For Fedora Atomic Desktops users, here is how you can re-enable it

rpm-ostree kargs --append-if-missing=lockdown=confidentiality

I run my system with all the args mentioned below.

Here is the command

Make sure to have a backup: run0 ostree admin pin 0

rpm-ostree kargs \
--append-if-missing=init_on_alloc=1 \
--append-if-missing=init_on_free=1 \
--append-if-missing=slab_nomerge \
--append-if-missing=page_alloc.shuffle=1 \
--append-if-missing=randomize_kstack_offset=on \
--append-if-missing=vsyscall=none \
--append-if-missing=lockdown=confidentiality \
--append-if-missing=random.trust_cpu=off \
--append-if-missing=random.trust_bootloader=off \
--append-if-missing=iommu=force \
--append-if-missing=intel_iommu=on \
--append-if-missing=amd_iommu=force_isolation \
--append-if-missing=iommu.passthrough=0 \
--append-if-missing=iommu.strict=1 \
--append-if-missing=pti=on \
--append-if-missing=module.sig_enforce=1 \
--append-if-missing=mitigations=auto,nosmt \
--append-if-missing=spectre_v2=on \
--append-if-missing=spec_store_bypass_disable=on \
--append-if-missing=l1d_flush=on \
--append-if-missing=l1tf=full,force \
--append-if-missing=kvm-intel.vmentry_l1d_flush=always

reference

https://bugzilla.redhat.com/show_bug.cgi?id=2333706

1 Like