Received: by 10.213.65.68 with SMTP id h4csp3200174imn; Tue, 3 Apr 2018 00:08:35 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+OvgaTBiJ9KyRUauz5GOAZHUyFSBlG1K+CsnDsFjq8AFQeqESZWzW/Hltcpes4pj6hP0qk X-Received: by 10.101.88.76 with SMTP id s12mr8330467pgr.423.1522739315246; Tue, 03 Apr 2018 00:08:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522739315; cv=none; d=google.com; s=arc-20160816; b=qISGSyxsx4kUi555AB63LPzQrTvHZyG7PGeRi24sqVgQTKE/yTYlJc6jA6gMgD4X56 a0DputI9d4c31ULBYXXls9ip6e09igVvgEGMbWgLHgXgMqgt/LBNll4XzONI2AzLiXC2 ehs1ru11OyJ8rcMYpYiC42k+cZacWE3aHk/FTgBYOU4252I/hNgP5CpqwfYQAtvPvx4k WFfyLj+Qh/mxmEDrjbup6CyZP24t7w3Ia18gouS+kUjfZkG9KAX8OapGqgo3kvcuyIj0 Sxx3CF2eLv0sHSp/6DejNPRBN5Hh5pexFhDKVzDgG9tFNNENzKSVcCHeOyrx+xTeepeN CtYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :content-id:mime-version:subject:cc:to:references:in-reply-to:from :organization:arc-authentication-results; bh=YeXba9jDnVb9OVO6ZyWGKXMxWG2/Vh6IkQdiVD+Y/YU=; b=kv3H7t4BfyqGuiKA05FeCBNg0rsq0Y40WEZZU1byRuoRwkbBqJBESrFuD+SUx6cvCL XvUoQSpCIb//NAtYWGs5QrS0sSqSaPSKMl328BxvDPwhu88XQd2GzLsTkV2Xtt3c4poc A/cUtPIEpsxDqJQdX/KxiUeatIxEM4fubDqLnnDOjgcYT8FmQE+krEJTDxcf2sOcVWQy f5AYlnhpjmw2hSPxc6N7Yi46b9u5qBadyT44F0XobYBLMC074VMfgaHtvcX/xH4RfLQz I9BzRMZzhbiy7FgSsnt8/8TkEy/MAMukaTbunXT+VZABlZq90QWDjey3IXu29Jzvfhj2 GYeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k13si1511720pgr.124.2018.04.03.00.08.21; Tue, 03 Apr 2018 00:08:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754750AbeDCHHG convert rfc822-to-8bit (ORCPT + 99 others); Tue, 3 Apr 2018 03:07:06 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:41968 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754272AbeDCHHD (ORCPT ); Tue, 3 Apr 2018 03:07:03 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 83ADE406802D; Tue, 3 Apr 2018 07:07:02 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-59.rdu2.redhat.com [10.10.120.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id 02112202698A; Tue, 3 Apr 2018 07:06:59 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> References: <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <4136.1522452584@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, James Morris , gnomes@lxorguk.ukuu.org.uk, Linus Torvalds , mjg59@google.com, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, linux-security-module@vger.kernel.org, Linux API , Kees Cook Subject: Re: [GIT PULL] Kernel lockdown for secure boot MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <30458.1522739219.1@warthog.procyon.org.uk> Content-Transfer-Encoding: 8BIT Date: Tue, 03 Apr 2018 08:06:59 +0100 Message-ID: <30459.1522739219@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 03 Apr 2018 07:07:02 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 03 Apr 2018 07:07:02 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski wrote: > This is an attempt at a review. I'm replying here because I can't find the > actual relevant patch emails. This was the latest post: https://lkml.org/lkml/2017/11/9/660 and they were posted multiple times before that, plus distributions, such as Fedora, have been carrying them for a long while. > For the rest of this review, I'm going to pretend that you actually want two > features: "try-prevent-root-from-corrupting-the-kernel" and > "try-to-prevent-root-from-reading-kernel-memory". It theoretically boils down into those two, but the line is blurrier than you think. Further, some of the vectors that can be used to do one can potentially do the other also and it starts getting to be a lot of extra work to distinguish the two. > I do *not* see why the mere act of using Secure Boot should have this > effect. To be able to pass secure boot mode over kexec, you have to make sure that the kernel image doesn't get corrupted, lest someone blacklist your signing key in the bootloader. > In particular, UEFI Secure Boot should *not* enable > "try-to-prevent-root-from-reading-kernel-memory", which means that, unless > you actually implement the split, you should drop a bunch of the patches. Yes it should. If someone can read your kernel image, they can steal the crypto keys you use to encrypt your filesystem. > "Restrict /dev/{mem,kmem,port} when the kernel is locked down": this should > probably split into one restriction for read and one for write. Not so for /dev/port. Read & Write here are _not_ the same as Read & Write on, say, /dev/mem. In fact, if /dev/mem gives you access to mmio ports, then the same applies there. Btw, Fedora hasn't even provided /dev/kmem for a while. > "bpf: Restrict kernel image access functions when the kernel is locked down": > This patch just sucks in general. Yes - but that's what Alexei Starovoitov specified. bpf kind of sucks since it gives you unrestricted access to the kernel. > "debugfs: Restrict debugfs when the kernel is locked down": The logic is IMO > nutty. Why the 0444 restriction? I see no reason that reading a 0644 file > should be treated any differently from reading a 0444 file. Yes. IMO it should be locked down entirely. However, it's been abused and there are things in there that are apparently needed (ie. it's not debugging-only now); unfortunately, it *also* contains files that directly map hardware. > "efi: Lock down the kernel if booted in secure boot mode": you have a stray > change in fs/debugfs/inode.c in here. Good catch, thanks. > Also, as above, I really dislike this patch. You dislike everything, but you didn't say so any of the times these patches were posted... > "lockdown: Print current->comm in restriction messages": Shouldn't this be > folded in with whatever patch added that code in the first place? Perhaps, but at the time I added it, I didn't want to go back and change the existing patches again. If I have to do so, I'll fold it in then. David