Received: by 10.213.65.68 with SMTP id h4csp2989011imn; Mon, 2 Apr 2018 18:48:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx49QlDnbct0Zd7Zi5NddfL4BtpQ8OGagkJ8+pZ81FuhStuRSTEuRDlcWpuLUrFefdbRF0QvV X-Received: by 10.98.11.144 with SMTP id 16mr8967805pfl.228.1522720114659; Mon, 02 Apr 2018 18:48:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522720114; cv=none; d=google.com; s=arc-20160816; b=ic7Rzp3Wj+NwimpabgTbzLmwbmX3VNr3VlILO7kTLrKHerjwLar1ZFyXMwCWcTfj5l 3C999+n1kLHfFThx+T4KWvNsSH8B+68wGSpIjATud9p+A5/pnvdfuHna3cMWvmG7W73F KjOci82xDYNqx+cbKIr6nWiXeANC/Oe0ri04FUGo4H3BvzjINvW7r4WyjNW7Z1MoLOui 4tcalFln2IjdIlc9Ve3bf8Qb3UGIfNiet7basDEDtxozW9rUHEXl9987sXeFU9ul38Zw 9jF99NW6ZBM98ZPBt3tDdNjjq6h+8UM8Mzfs+LGvdRlULbUWnHs5Sc3/gcL1z70k35RS ShTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version:dkim-signature:arc-authentication-results; bh=Z7mNxKppeV2T77mR9pLcmpPlD/mVnMx7CNoyJ9/zwCU=; b=vdVQPm4CK9ub+OXnD0qI58mPdQspWFTgN5AAqRckg3oNtl5h8U3yqJjhW8EPjkb/sy 2EAuU1L7kk8arr6CfSQkd2wbfsp0KnZf0x/6vJLosFzaKqrTxPv0mdMGDxN55jssaZeS aAPW2guIbCoyt0LjxVf+QtQuVkyZ2o5Cg79xh599Kp/byp8qY3bRJa12ejhemYcsJFln 9GhSTruAc6zFqmpteHoGncOcY25W3uu9CUOTSVoc5Tvt6NxvKtHUnmAxNhkpVvkO3DwK WAECvPDgH/5/PGp8SDVpihduNKyQij3TnYQ7Q7K28wtlvYK0lU9EXC+fVSTet/1IfD4D XuUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ROe2A6fl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a63-v6si1590866pla.718.2018.04.02.18.48.20; Mon, 02 Apr 2018 18:48:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=ROe2A6fl; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754792AbeDCBrK (ORCPT + 99 others); Mon, 2 Apr 2018 21:47:10 -0400 Received: from mail-pl0-f67.google.com ([209.85.160.67]:43201 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752109AbeDCBrH (ORCPT ); Mon, 2 Apr 2018 21:47:07 -0400 Received: by mail-pl0-f67.google.com with SMTP id c21-v6so3069948plz.10 for ; Mon, 02 Apr 2018 18:47:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z7mNxKppeV2T77mR9pLcmpPlD/mVnMx7CNoyJ9/zwCU=; b=ROe2A6flPJo1CCER9K/W8xHkhV6o5XpfutpXvY2Klm4u3JV6um0D8cqsFGe3SGbAf1 M+aGA2uhfH1i86TRyYkQ5MNenoQJeRMxuD3dY63Pj67oK64aALHsOPietmcn483wilja /5CMKDtWCMz5dCnX8qJlzF2dnMX9c5IAimo5wt3bmdPndwiF4XGpEDQmCsOwkrzfJ+Zt ErdKelQr/4vFlU0z56dQMKbnyz0wuR+Opz72jRwrwhMYJBE405MZVL+VfJjacz/8Ioyy ZrtdsDXy0nr77XAmc20UYhZ7kqimhjhYPAYId/+yLQZdzHXOZiG5Mqk/Z2ClxywxkB4k N6DA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Z7mNxKppeV2T77mR9pLcmpPlD/mVnMx7CNoyJ9/zwCU=; b=sown1gNDBT3U7i2qIyoESizywWreHidLlqLdI4Sgo4wK3JBIDwfSNS08ND2RqqL3jh 1UcH2EUrppcvDJIlKhnxS1rI7pWh6lcfLeC6ehZ9jqclVmJNYI+OISU8JT6xVosfQO5K aS3SnTmckPVBTclIEl9zhSAbiGZMOlAkeaClty5N51RFS8Kk5THuRXg3/b4AW25pa2lx vFMDS+8k/k7SLhbibYCPssHmJb3s88iR9WJVGW4+1RgFFKXtHkM3/gle5j0gr0QKNctj ivFrS/wYx/Vk1ariUiIfgFZYyaWfXoZdKn35qx0B/9KsSiA2AGFK44lbSooZDd4hmpa3 kLow== X-Gm-Message-State: AElRT7Fdt8n+vGi7wHkJIGiVcbHz/aep1dgfJkyn4YSnw7GoFXll5bOA YW+U8f6IWiIhEAy2+QzK1SFxb14kPKQ= X-Received: by 2002:a17:902:bb87:: with SMTP id m7-v6mr12168673pls.103.1522720026875; Mon, 02 Apr 2018 18:47:06 -0700 (PDT) Received: from ?IPv6:2600:1010:b066:98be:8d1e:2e91:d827:30a9? ([2600:1010:b066:98be:8d1e:2e91:d827:30a9]) by smtp.gmail.com with ESMTPSA id w63sm2594735pfb.64.2018.04.02.18.47.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Apr 2018 18:47:06 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) Subject: Re: [GIT PULL] Kernel lockdown for secure boot From: Andy Lutomirski X-Mailer: iPhone Mail (15D100) In-Reply-To: Date: Mon, 2 Apr 2018 18:47:05 -0700 Cc: Andy Lutomirski , James Morris , David Howells , Alan Cox , Linus Torvalds , Matthew Garrett , Greg KH , LKML , Justin Forbes , linux-man , joeyli , linux-security-module , Linux API Content-Transfer-Encoding: quoted-printable Message-Id: <70C7A8C3-3DCC-4448-9FBD-534ADDE2D6E6@amacapital.net> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> To: Kees Cook Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Apr 2, 2018, at 5:59 PM, Kees Cook wrote: >=20 >> On Mon, Apr 2, 2018 at 5:37 PM, Andy Lutomirski wrote: >>> On 03/30/2018 05:46 PM, James Morris wrote: >>>=20 >>>> On Sat, 31 Mar 2018, David Howells wrote: >>>>=20 >>>> Date: Thu, 26 Oct 2017 17:37:38 +0100 >>>>=20 >>>> Hi James, >>>>=20 >>>> Can you pull this patchset into security/next please? It has been in >>>> linux-next since the beginning of March. >>>>=20 >>>> It adds kernel lockdown support for EFI secure boot. >>>=20 >>>=20 >>> Applied to >>> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git= >>> next-lockdown and next-testing >>>=20 >>> Are there any known coverage gaps now? >>>=20 >>>=20 >>>=20 >>=20 >> This is an attempt at a review. I'm replying here because I can't find t= he >> actual relevant patch emails. >>=20 >> Cover letter: >>=20 >>> Here's a set of patches to institute a "locked-down mode" in the >>> kernel and to trigger that mode if the kernel is booted in secure-boot >= >>> mode or through the command line. >>=20 >> I think this is seriously problematic in that it's not well defined. It >> sounds like "locked-down mode" means "make me feel good about something".= >=20 > Naming of this feature has been multi-year bikeshedding, so if we > could just leave the name, that'd be nice. Fair enough. How about enum kernel_lockdown_level with three modes? >=20 >=20 >> "Restrict /dev/{mem,kmem,port} when the kernel is locked down": this shou= ld >> probably split into one restriction for read and one for write. >=20 > I think splitting read and write is only useful if there is a use-case > for only blocking one of them. I struggle to imagine allowing write > and blocking read, so really it's the case of wanting to allow read > and disallow write. Is there actually a use-case for this? In all the > "locked down" cases I've seen, both are desired. >=20 Let=E2=80=99s suppose for the sake of argument that UEFI really has a good r= eason to block writes. Blocking reads (kprobes, perf, etc) sounds extremely a= nnoying, especially if running a stock distro, and I=E2=80=99d much rather n= ot do it unless there=E2=80=99s a specific use case that needs it.=20=