Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1759582AbcLAPBg (ORCPT <rfc822;w@1wt.eu>);
        Thu, 1 Dec 2016 10:01:36 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:47682 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1757197AbcLAPBe (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 1 Dec 2016 10:01:34 -0500
Date: Thu, 1 Dec 2016 16:01:35 +0100
From: Greg KH <gregkh@linuxfoundation.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-kernel@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
        linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        minyard@acm.org
Subject: Re: [PATCH 01/39] Annotate module params that specify hardware
 parameters (eg. ioport)
Message-ID: <20161201150135.GA10317@kroah.com>
References: <148059537897.31612.9461043954611464597.stgit@warthog.procyon.org.uk>
 <148059538747.31612.8974972913601108271.stgit@warthog.procyon.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <148059538747.31612.8974972913601108271.stgit@warthog.procyon.org.uk>
User-Agent: Mutt/1.7.1 (2016-10-04)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1958
Lines: 44

On Thu, Dec 01, 2016 at 12:29:47PM +0000, David Howells wrote:
> Provided an annotation for module parameters that specify hardware
> parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
> dma buffers and other types).
> 
> This will enable such parameters to be locked down in the core parameter
> parser for secure boot support.

ick ick ick.

First off, this "secure boot support" massive patchset has not gone
anywhere yet, so why do this now?  Also, I think Alan's comment about it
the last time it came up was more like a "look at all of the other ways
you could do bad things to hardware!" comment, not a "you need to also
do this thing too!" type of request.

I certianly do not see how this makes anything "more secure" at all.
And I thought the last time this came up, Linus also objected to it,
which is why the patchset never went anywhere.

Secure boot is a trust that the previous boot process is now booting
your image that it feels is secure (with various levels of "secure").
It is not about "lock things down so no one can ever touch the hardware
through different options, except through random logic[1] that we
somehow trust "more" than configuration options.

So, what are you really trying to "block" here?  The ability for someone
to set an i/o port value?  why?  Why does it matter what root sets for
an irq?  For a dma buffer?  For anything else?  What is preventing this
going to "secure" somehow?

Overall, I really don't like this, and honestly, don't like the whole
"secure boot" patchset either, as it is really a lot of work for
absolutely no gain that I can see.  Who is "asking" for this type of
thing, and what are their specific requirements?

thanks,

greg k-h

[1] Really, do you trust random driver writers to get things more
    "correct" than allowing people to get their hardware to work
    properly with module parameters?  I know driver writers, and really,
    I trust users more than them...