In the nucleus linux identified Vulnerability (CVE-2022-21505), It allows you to easily circumvent the LockDown protection mechanism, which limits the user’s access to the ROOT to the nucleus and blocks the ways of bypassing UEFI Secure Boot. For a detour, it is proposed to use the IMA nucleus subsystem (Integrity Measurement Architecture), designed to verify the integrity of the components of the operating system for digital signatures and hashas.
Lockdown mode is limited to access to /dev /MEM, /DEV /KMEM, /DEV /PORT, /ProC /Kcore, Debugfs, Mimiotrace debriefing mode, BPF, PCMCIA CIS (Card Information Structure), some ACPI interfaces and MSR CPU registers are blocked by KEXEC_File and Kexec_load calls, the transition to sleep mode is prohibited, the use of DMA for PCIs is limited, the import of ACPI code from EFI variables is prohibited, and manipulations with input/output ports, including changing the number Interruptions and port of the input/output for the sequential port.
The essence of the vulnerability is that when using the “IMA_Appraise = LOG” boot parameter, the KEXEC call is allowed to download a new copy of the nucleus if the SECURE BOOT mode is not active in the LockDown mode is used separately from it. IMA does not comply with the inclusion of the IMA_Appraise mode with the active secure boot, but does not take into account the possibility of using LockDown separately from Secure Boot.