Received: by 10.213.65.68 with SMTP id h4csp3519448imn;
        Tue, 3 Apr 2018 06:27:43 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+HWWSrOzuw5czseP7hxDJty7Y+nHY3SClvpPk5hX0aS7gzu8lwRhRbZbYdJMne3+JEVSdk
X-Received: by 10.99.133.193 with SMTP id u184mr9239752pgd.141.1522762062977;
        Tue, 03 Apr 2018 06:27:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522762062; cv=none;
        d=google.com; s=arc-20160816;
        b=TnbG+329kFMC8LS9mHrJBXCcEEufqxvcWVXO6kFv+KVrZ831zeNx3iuwHVezjiogG5
         oXjkZj7YFAw7dDZkE4ttuxoLuLrBNuaHJXSEsfD1JrqxDI5FXBTDgQAgvgiqbx5qCWxK
         vJaV+oUg8urZKcSBcWykFCouP6WfvcArI2ydRWoI+1c1loagN/EAIIUkzrx/y4CIKwgX
         GwncbtCOQgax1R35cFXBaMMkYdHC8QOn23CuBBYidkuRH/8p2iPwtAF3cdwdFfvg7ZMc
         yG7QAZHlYAkOnKUGFBeZ3Af4YHq4J3slLajyzDwEyUwDn2RKGExcqdFMkEXVzzOp68MF
         +cpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=;
        b=Mn5XjX1ynEDHDVNGWdszpp/tj8uoXQ4V0ky3plvTqbNZwteQavacQWxvgbZ5G9QYzP
         lTJbISOkoymAqMHzji1DpcWhgWvZqPYjugPvbfCbUM8KsJGYzI53rO83ZboXZxzOTafv
         mBl/KryfH/5lkBOAiGiusB4DUodkRzNEFipMtdaFY9q+pasrj8/fm7LNpcFAfMKl0qQB
         pTjaJEuExSMOyfpNBSzZMQDU9JCmmBjI0t7sFrfqStDUFVcd7JG1FQT68f+Xpoj24RCp
         s86cDQnubDm94f3zpyvaIjZHHMkSya9tQl60yNhfqiCmqpQBRvmpAolA48GE85PLmPD7
         99VA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=IYsjcQaB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i1si2019132pgp.542.2018.04.03.06.27.28;
        Tue, 03 Apr 2018 06:27:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=IYsjcQaB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750805AbeDCN0D (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Tue, 3 Apr 2018 09:26:03 -0400
Received: from mail-io0-f182.google.com ([209.85.223.182]:33704 "EHLO
        mail-io0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750728AbeDCN0B (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 09:26:01 -0400
Received: by mail-io0-f182.google.com with SMTP id l3so22017372iog.0
        for <linux-kernel@vger.kernel.org>; Tue, 03 Apr 2018 06:26:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=;
        b=IYsjcQaBzV9U4tkB0gLJEpyikD7/mgaPmYm6iB/wjoOQsoVnaqyFijAwmejd4tqdT/
         CGc8SWPSycicfsfPw6o6rr4ezVsnSzAoXAdhPUZlnxo9+3pBzyFofLdUH1iNcaO8/v9g
         fqLjFSgtkGkUvjJHfyvP7EAHTu3r/zBr7QZaM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=LPSVhxgM9qIRcjceJDHAx2SKV9YJTfpMLzdJh2nsfrs=;
        b=qOHJh7RqCnFIrlhYMvYv6R/ijdcqkJQIo9kjhveQqaZQBQKQR8wnixAAFyT9ZcsVm0
         CT1YMDupnExnRuVeNHrVTLccUPocibvupyHG7ajqyOobl0RaaVMd0Cb8wu8WWrqWUDFD
         GyImVTbH2u+uSpVfmt0WoMwniFLUfyrEuGAC3Jd1pfPxfmEqxABQt1YzGLbL+KkPP4lY
         4By9O/QxA3OcdSRcTdKnV74gZG4z2yZfrFD4u5X7mApvsY7oQyuQlhZdba5D390994PK
         TXXxeAtoK4/0U4DmczhW4kRv8rDGMcj/hKdGt9Lv7uY2BR/VxBWrZVlSQR/ODDc2n6jd
         Bd1A==
X-Gm-Message-State: ALQs6tDpQ1YDkY+eSm+ew+ei6sYEIiMpEG0zdlH9EyLVn6t6HPY74kmv
        LXRWZcTgEyk2B7Hy1H58yfn66z4VDx1ArK23ZuTAFg==
X-Received: by 10.107.164.17 with SMTP id n17mr12130014ioe.173.1522761956931;
 Tue, 03 Apr 2018 06:25:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.187.67 with HTTP; Tue, 3 Apr 2018 06:25:56 -0700 (PDT)
In-Reply-To: <17792.1522491600@warthog.procyon.org.uk>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <17792.1522491600@warthog.procyon.org.uk>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Tue, 3 Apr 2018 15:25:56 +0200
Message-ID: <CAKv+Gu9Na0j=T4syinQhPNZTnbhvnpDXR+Za73EmH3FFXV6KHA@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     David Howells <dhowells@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Kees Cook <keescook@chromium.org>
Cc:     James Morris <jmorris@namei.org>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        linux-efi@vger.kernel.org, Matthew Garrett <mjg59@google.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org,
        joeyli <jlee@suse.com>,
        linux-security-module <linux-security-module@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

(+ Andy and Kees so they can respond to the thread)

On 31 March 2018 at 12:20, David Howells <dhowells@redhat.com> wrote:
> James Morris <jmorris@namei.org> wrote:
>
>> Are there any known coverage gaps now?
>
> I've covered all the ones I know about.
>

Andy (and Kees) responded to this without keeping all the cc's. Given
that I share Andy's concern wrt the general nature of these patches, I
will reiterate them here.

First of all, in my experience, when introducing any kind of 'secure'
mode, people will immediately assume that everything they use the
system for will be more secure going forward, and so they are more
likely to let their guard down, resulting in a less secure situation
than we started out with. So I already argued for calling this a
'lockdown policy' which is a clearly communicated as a best effort
attempt to make the system more robust against inadvertent
modifications, and documenting/logging clearly what it actually
*means*. The latter is especially important because many of these
things are arch specific, and need to be implemented for each arch
individually in order to take effect on them. Also, v4.17 lockdown
will most likely be different from v4.18 lockdown.

Furthermore, there is a fundamental deviation from common security
sense here, where things like command line parameters and other
lockdown specific tunables are blacklisted rather than whitelisted,
and so rather than locking everything down and re-enabling only once
what needs to be re-enabled for the system to work, we are now forever
going to have to track a moving target, where it is someone's job to
ensure that incoming changes don't regress lockdown mode on any of the
architectures it supports.

If the distros are shipping their kernels with these patches applied
to adhere to some kind of requirements imposed by MicroSoft in order
for them to be willing to sign shim images, can we please involve
those into the discussion as well? It seems to me that this is a
solution without a problem statement, and I would like to fully
understand the problem before reasoning about the solution.

-- 
Ard.