Received: by 10.213.65.68 with SMTP id h4csp2954300imn; Mon, 2 Apr 2018 18:00:37 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+yZn60Apa7sjDrYaE6gXYYqNo2802kxVUB6aEQwTtskw4aEZnYb4GY4o21k5qX2WWMdFEH X-Received: by 10.98.9.147 with SMTP id 19mr2284835pfj.125.1522717237042; Mon, 02 Apr 2018 18:00:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522717236; cv=none; d=google.com; s=arc-20160816; b=w4ZEUgIuwo7aUGNms78bBOu26OLwekjayYaZyzVrVgLG5uTn2nDD8G16ascpBsH7k3 FZO07mu45tB1wHtbJpb5gMl5yEZMTfoWujHtQo02ZwdaP82CVz5qqy/U7NQUtstomAiX CD2ET7Ow1B1fI4lMW9UH/LQSXCjaM/JQb+34hpYSNs9xeQZIsqD+tI43OaNGVoxFM7K1 P62sxDFeQVcc2ZoQq8nnNpi9NkcAMA7RylcW1lYVH6Cit8LezkcKqxiHqrsQxMaFZd7k ISDULtP0ZLNM1UzF3kv4OeayvldfCL1D+tebeZrpy54+DU8T5n7QmiPtSyebIQ5U4qIZ s+iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=BY4rWKDg3jqGc92ZV0ikHnVOIMejp4w6mKc+Id31l2I=; b=ruM1D5wrYfCcWI4pl92YD+nBOjALMwSw5P6E9p4acqKV9plvGWKUsDqgg0ryn12CcF evOiwJlgmnnuueaTKVoijfwFY3BhPMvm947zmxT+3MUCMi4WNYZ06HEjJ6g/tqfJdYTg LHTZCwf2zrLVKs7oe72rMbZPhPPZpGdKmqW8WYGfAMx1u6yjxl1r1skKCgyQ12SVpScl Riervx5Nzj9ErrjeN+r7+wUradCO0cHhdf3ikamc7zrIeRtc0Df7VnOBNwRHZK35yoU6 7CezzOBsrwuzEoUe2THVAOrTgpAHgywKhYEk0GRU6B7/Bsk2Oh9a6uUMx2hecPNXJc0o /wOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fwT9TfD+; dkim=fail header.i=@chromium.org header.s=google header.b=msKnmBZz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l5si1181323pfa.368.2018.04.02.18.00.22; Mon, 02 Apr 2018 18:00:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fwT9TfD+; dkim=fail header.i=@chromium.org header.s=google header.b=msKnmBZz; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754726AbeDCA7O (ORCPT + 99 others); Mon, 2 Apr 2018 20:59:14 -0400 Received: from mail-ua0-f195.google.com ([209.85.217.195]:37940 "EHLO mail-ua0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754687AbeDCA7L (ORCPT ); Mon, 2 Apr 2018 20:59:11 -0400 Received: by mail-ua0-f195.google.com with SMTP id q38so9984375uad.5 for ; Mon, 02 Apr 2018 17:59:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=BY4rWKDg3jqGc92ZV0ikHnVOIMejp4w6mKc+Id31l2I=; b=fwT9TfD+yug+7mR5LopQD5jmJwzp2kKYAGKtePBtVN3zH7e6Xy2l+0CYahDD2x2KsJ oPAFTGeVL2lM6YJYwZis9EuBYGFswH1nWKwca8TjYlSlI63sZZbQeKJa7osZAKc3Zpio QfmZFDNtCGrBG2qrZbifhWETMI+d4PxpewPAXhc+oNZVMr9XaYjKEC7+QYRcBd/02QiQ UBtaL7wZExrFUjYqt4NB3zvREgOQ6dgGwsEtBzGhsySliBMKq3DJRPeO9yr5rdSrDcPH AFAad5LXe86+vcNalzZjsR+nKkxrjNElPhgSXrJqob4mbfJtXFf9aJs5R7KcCJrOWGnx bQOA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=BY4rWKDg3jqGc92ZV0ikHnVOIMejp4w6mKc+Id31l2I=; b=msKnmBZzr5nI+QzJGu+578SKcGpQKKiD0pS16IbQ7noEtDnFPh/ZAkco4d8N/tG2Ay hfGSBROyc2+HkGc5qA0uh4DYBjcOLnKjp5VGM+pgIKUoRtBU6u94FH61LYRLru3tn1/q l/SMXnS1NgW+dCDQRh9E+4d7gjxKnhK/hdSO8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=BY4rWKDg3jqGc92ZV0ikHnVOIMejp4w6mKc+Id31l2I=; b=C7h5yBjMnjo4p7aOY00LKqLqqTJNHYRDa4p8mPNTYv1qVZyXIifsS2CEPvqESDu4Sv znf+T1tUt7iMDnwMjLfainabPbSbX7DOkvobwvMdwBZO7242tYLpe7TQwtgttPBDLX7j WHI3IN2E6bxI+YIyEnG+s3ZG+bnkeXMbYWu4Iflr/9hxbfEzJmiC5qsHfd74H6NoC+ns o3bF9Yx1ztZHVBXA4mHzK4PSmH3C4N5KvA/jgHx40lZJCL/7v5Q1PP2bsas2Z1LLSOd8 Oq3BuBU5/ersMHMYgz8108vHkemh0u9qeJy1gQJr/llm0cFg99Fh2r03CtCAyUiilSiz Z4kA== X-Gm-Message-State: ALQs6tBhh7ic2XYS4W2wVsHkv8+zbpE7WNV7ieAMmk1wMa+Y5bwMH1lT mmFf29MSahXK7pehX5HMuB7aWX4Nm6y/rPfwOXyMHg== X-Received: by 10.159.49.238 with SMTP id w43mr3591857uad.176.1522717150869; Mon, 02 Apr 2018 17:59:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.129.9 with HTTP; Mon, 2 Apr 2018 17:59:10 -0700 (PDT) In-Reply-To: <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> From: Kees Cook Date: Mon, 2 Apr 2018 17:59:10 -0700 X-Google-Sender-Auth: a8T4tMJ04ka7T1xm-eZiCotGrTs Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Andy Lutomirski Cc: James Morris , David Howells , Alan Cox , Linus Torvalds , Matthew Garrett , Greg KH , LKML , Justin Forbes , linux-man , joeyli , linux-security-module , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 2, 2018 at 5:37 PM, Andy Lutomirski wrote: > On 03/30/2018 05:46 PM, James Morris wrote: >> >> On Sat, 31 Mar 2018, David Howells wrote: >> >>> Date: Thu, 26 Oct 2017 17:37:38 +0100 >>> >>> Hi James, >>> >>> Can you pull this patchset into security/next please? It has been in >>> linux-next since the beginning of March. >>> >>> It adds kernel lockdown support for EFI secure boot. >> >> >> Applied to >> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git >> next-lockdown and next-testing >> >> Are there any known coverage gaps now? >> >> >> > > This is an attempt at a review. I'm replying here because I can't find the > actual relevant patch emails. > > Cover letter: > >> Here's a set of patches to institute a "locked-down mode" in the >> kernel and to trigger that mode if the kernel is booted in secure-boot > >> mode or through the command line. > > I think this is seriously problematic in that it's not well defined. It > sounds like "locked-down mode" means "make me feel good about something". Naming of this feature has been multi-year bikeshedding, so if we could just leave the name, that'd be nice. > For the rest of this review, I'm going to pretend that you actually want two > features: "try-prevent-root-from-corrupting-the-kernel" and > "try-to-prevent-root-from-reading-kernel-memory". That is how I view it, yes. It's about creating a bright line between uid-0 and ring-0. The most powerful of these distinctions was made long ago with signed modules. It hasn't been enough, though, since there have been many ways for uid-0 to read or write kernel memory. My expectation for this was to reasonably fill all the remaining gaps. > Also, there should be a justification that allows normal people (i.e. those > who are not involved in the UEFI signing process) to understand *why* this > should have anything to do with UEFI. I can very easily see why it would > make sense for a UEFI authenticated variable to tell the kernel to enable > one or both of these modes or for there to be an authenticated mechanism for > the bootloader to tell the kernel to enable it. I do *not* see why the mere > act of using Secure Boot should have this effect. > > In particular, UEFI Secure Boot should *not* enable > "try-to-prevent-root-from-reading-kernel-memory", which means that, unless > you actually implement the split, you should drop a bunch of the patches. > > In fact, I think the kernel should try to get away from the idea that UEFI > Secure Boot should imply annoying restrictions. It's really annoying and > it's never been clear to me that it has a benefit. FWIW, I've never been a fan of this being UEFI-centric: more than Secure Boot needs this. For example, Chrome OS's static root of trust and boot firmware isn't UEFI, but it wants this feature enabled. Chrome OS would set it on the command line, since the command line is part of the signed boot image along with the kernel, etc. > "Restrict /dev/{mem,kmem,port} when the kernel is locked down": this should > probably split into one restriction for read and one for write. I think splitting read and write is only useful if there is a use-case for only blocking one of them. I struggle to imagine allowing write and blocking read, so really it's the case of wanting to allow read and disallow write. Is there actually a use-case for this? In all the "locked down" cases I've seen, both are desired. -Kees -- Kees Cook Pixel Security