[qubes-users] QSB-078: Linux kernel PV driver issues and LVM misconfiguration

Dear Qubes Community,

We have just published Qubes Security Bulletin (QSB) 078: Linux kernel
PV driver issues and LVM misconfiguration. The text of this QSB is
reproduced below. This QSB and its accompanying signatures will always
be available in the Qubes Security Pack (qubes-secpack).

View QSB-078 in the qubes-secpack:

<qubes-secpack/qsb-078-2022.txt at master · QubesOS/qubes-secpack · GitHub>

In addition, you may wish to:

- Get the qubes-secpack: <Qubes security pack (qubes-secpack) | Qubes OS>
- View all past QSBs: <Qubes security bulletins (QSBs) | Qubes OS>
- View the XSA Tracker: <Xen security advisory (XSA) tracker | Qubes OS>

```

              ---===[ Qubes Security Bulletin 078 ]===---

                               2022-03-10

        Linux kernel PV driver issues and LVM misconfiguration

User action required

Andrew David Wong:

In addition, advanced users with customized setups are advised that the
LVM patch changes the LVM's default value for "global_filter" [5]. This
means you must ensure that the device that contains the LVM with Qubes'
rootfs is allowed, or else your system will not boot.

[5] qubes-lvm2/lvm2-set-default-global_filter.patch at v2.03.09-2 · QubesOS/qubes-lvm2 · GitHub

From looking at part of the patch:

- # global_filter = [ "a|.*|" ]
+ # global_filter = [ "a|^/dev/disk/by-id/dm-uuid-CRYPT-LUKS[12]-.*|",
+ # "a|^/dev/nvme.*|",
+ # "a|^/dev/sd.*|",
+ # "a|^/dev/md.*|",
+ # "r|.*|" ]

I see how it allows crypt-luks volumes in general, along with nvme, sata, and raid. What does that last line allow?

/dev/md.* matches devices provided by the Linux Multiple Device (RAID)
driver.

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Demi Marie Obenour:

+ # "r|.*|" ]

I see how it allows crypt-luks volumes in general, along with nvme, sata,
and raid. What does that last line allow?

/dev/md.* matches devices provided by the Linux Multiple Device (RAID)
driver.

Thanks; I should have specified what does "r|.*|" cover?

It is a generic deny-all. LVM sadly defaults to allow-all.

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

Marek, should we patch LVM to add a trailing "r|.*|" if none is present?
Not having it creates a vulnerable system, which is bad.

- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab

I don't like changing how config file is interpreted - is rather
unfriendly and confusing for those who know what they are doing and
change their lvm.conf. The specific filter syntax is describe in the
comment just above the this option.
The great majority of users do not need to change it (unless we missed
some common device? but then we should update the default filter), so
the risk of messing it up by novice user is minimal.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab