Received: by 10.213.65.68 with SMTP id h4csp3519448imn; Tue, 3 Apr 2018 06:27:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+HWWSrOzuw5czseP7hxDJty7Y+nHY3SClvpPk5hX0aS7gzu8lwRhRbZbYdJMne3+JEVSdk X-Received: by 10.99.133.193 with SMTP id u184mr9239752pgd.141.1522762062977; Tue, 03 Apr 2018 06:27:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522762062; cv=none; d=google.com; s=arc-20160816; b=TnbG+329kFMC8LS9mHrJBXCcEEufqxvcWVXO6kFv+KVrZ831zeNx3iuwHVezjiogG5 oXjkZj7YFAw7dDZkE4ttuxoLuLrBNuaHJXSEsfD1JrqxDI5FXBTDgQAgvgiqbx5qCWxK vJaV+oUg8urZKcSBcWykFCouP6WfvcArI2ydRWoI+1c1loagN/EAIIUkzrx/y4CIKwgX GwncbtCOQgax1R35cFXBaMMkYdHC8QOn23CuBBYidkuRH/8p2iPwtAF3cdwdFfvg7ZMc yG7QAZHlYAkOnKUGFBeZ3Af4YHq4J3slLajyzDwEyUwDn2RKGExcqdFMkEXVzzOp68MF +cpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=; b=Mn5XjX1ynEDHDVNGWdszpp/tj8uoXQ4V0ky3plvTqbNZwteQavacQWxvgbZ5G9QYzP lTJbISOkoymAqMHzji1DpcWhgWvZqPYjugPvbfCbUM8KsJGYzI53rO83ZboXZxzOTafv mBl/KryfH/5lkBOAiGiusB4DUodkRzNEFipMtdaFY9q+pasrj8/fm7LNpcFAfMKl0qQB pTjaJEuExSMOyfpNBSzZMQDU9JCmmBjI0t7sFrfqStDUFVcd7JG1FQT68f+Xpoj24RCp s86cDQnubDm94f3zpyvaIjZHHMkSya9tQl60yNhfqiCmqpQBRvmpAolA48GE85PLmPD7 99VA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IYsjcQaB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1si2019132pgp.542.2018.04.03.06.27.28; Tue, 03 Apr 2018 06:27:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=IYsjcQaB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750805AbeDCN0D (ORCPT + 99 others); Tue, 3 Apr 2018 09:26:03 -0400 Received: from mail-io0-f182.google.com ([209.85.223.182]:33704 "EHLO mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750728AbeDCN0B (ORCPT ); Tue, 3 Apr 2018 09:26:01 -0400 Received: by mail-io0-f182.google.com with SMTP id l3so22017372iog.0 for ; Tue, 03 Apr 2018 06:26:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=; b=IYsjcQaBzV9U4tkB0gLJEpyikD7/mgaPmYm6iB/wjoOQsoVnaqyFijAwmejd4tqdT/ CGc8SWPSycicfsfPw6o6rr4ezVsnSzAoXAdhPUZlnxo9+3pBzyFofLdUH1iNcaO8/v9g fqLjFSgtkGkUvjJHfyvP7EAHTu3r/zBr7QZaM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=; b=qOHJh7RqCnFIrlhYMvYv6R/ijdcqkJQIo9kjhveQqaZQBQKQR8wnixAAFyT9ZcsVm0 CT1YMDupnExnRuVeNHrVTLccUPocibvupyHG7ajqyOobl0RaaVMd0Cb8wu8WWrqWUDFD GyImVTbH2u+uSpVfmt0WoMwniFLUfyrEuGAC3Jd1pfPxfmEqxABQt1YzGLbL+KkPP4lY 4By9O/QxA3OcdSRcTdKnV74gZG4z2yZfrFD4u5X7mApvsY7oQyuQlhZdba5D390994PK TXXxeAtoK4/0U4DmczhW4kRv8rDGMcj/hKdGt9Lv7uY2BR/VxBWrZVlSQR/ODDc2n6jd Bd1A== X-Gm-Message-State: ALQs6tDpQ1YDkY+eSm+ew+ei6sYEIiMpEG0zdlH9EyLVn6t6HPY74kmv LXRWZcTgEyk2B7Hy1H58yfn66z4VDx1ArK23ZuTAFg== X-Received: by 10.107.164.17 with SMTP id n17mr12130014ioe.173.1522761956931; Tue, 03 Apr 2018 06:25:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.187.67 with HTTP; Tue, 3 Apr 2018 06:25:56 -0700 (PDT) In-Reply-To: <17792.1522491600@warthog.procyon.org.uk> References: <4136.1522452584@warthog.procyon.org.uk> <17792.1522491600@warthog.procyon.org.uk> From: Ard Biesheuvel Date: Tue, 3 Apr 2018 15:25:56 +0200 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: David Howells , Andy Lutomirski , Kees Cook Cc: James Morris , One Thousand Gnomes , linux-efi@vger.kernel.org, Matthew Garrett , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, joeyli , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org (+ Andy and Kees so they can respond to the thread) On 31 March 2018 at 12:20, David Howells wrote: > James Morris wrote: > >> Are there any known coverage gaps now? > > I've covered all the ones I know about. > Andy (and Kees) responded to this without keeping all the cc's. Given that I share Andy's concern wrt the general nature of these patches, I will reiterate them here. First of all, in my experience, when introducing any kind of 'secure' mode, people will immediately assume that everything they use the system for will be more secure going forward, and so they are more likely to let their guard down, resulting in a less secure situation than we started out with. So I already argued for calling this a 'lockdown policy' which is a clearly communicated as a best effort attempt to make the system more robust against inadvertent modifications, and documenting/logging clearly what it actually *means*. The latter is especially important because many of these things are arch specific, and need to be implemented for each arch individually in order to take effect on them. Also, v4.17 lockdown will most likely be different from v4.18 lockdown. Furthermore, there is a fundamental deviation from common security sense here, where things like command line parameters and other lockdown specific tunables are blacklisted rather than whitelisted, and so rather than locking everything down and re-enabling only once what needs to be re-enabled for the system to work, we are now forever going to have to track a moving target, where it is someone's job to ensure that incoming changes don't regress lockdown mode on any of the architectures it supports. If the distros are shipping their kernels with these patches applied to adhere to some kind of requirements imposed by MicroSoft in order for them to be willing to sign shim images, can we please involve those into the discussion as well? It seems to me that this is a solution without a problem statement, and I would like to fully understand the problem before reasoning about the solution. -- Ard.