Received: by 10.213.65.68 with SMTP id h4csp3712586imn; Tue, 3 Apr 2018 09:28:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx49nwnQXleilboYyfG8Y+Jhq759zqKTBkRVHGnutIaOzmBuvF2syrtfamh2meJhyEUgm/mjB X-Received: by 10.99.190.75 with SMTP id g11mr9564463pgo.127.1522772899378; Tue, 03 Apr 2018 09:28:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522772899; cv=none; d=google.com; s=arc-20160816; b=n5v6+TYkgFULUXoptj7Vjf59rIp31b9K/8FXopEm+6V+C7QWLCiN6f7T2Tm964ZKiB tvtlb2qHJAERV9kmJ4PAK49jveZratlfOVnbz/+0EeDvKTDAJBuq7Sd6OTEoq4HkcpIe f86Y6Q41jF4ZN3cl0YPDopovOeP7iFn397bpEUERlwAuE+wzffUNzl+vsp6sObqPPJPG QN+E6zAGO1fHBICtpmAw5H+l1RVkDYjSxGoC29SI8jsMdzR8xT1VyXfCjJ3rYi72JBNJ jQhVXSWCGmoRcfFd9S5Nepr9xv8WMNjptMr672/JCcf7PfFYn/521AiiE2UErYAvIpqQ TIFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=h1dlx3RRalb0QxXCcKYmVJ8KRxP4U2AtVe9FsoKvaDQ=; b=a1nzhxr2EQhCeHb8mtUMPD+N4kMPecmITAKajRyvpfezPHs7PPhh4ZmrJlUXDuWr6m HY2XsT32GZleXl8B0fWrnZ6BMrFPhh6RtLLY57pDZvDT7kGypa+kizHfm95lO2JenX40 KIYgtXkB2R4SrX7BRwXOa/iaqMpPpwZBM6qs3QtjqDTc0lA0PJooU3tzno0omrS4lvGv ntcZlnM8APY2iWtt0AfYw6UCmwczbFBKCsmL8oS4V6TLm8hhOPxAiYKJNWM+GfvLHaAs 1EqXxf0gkswA6O4fRLKUu+OAqCmB3pMttvdAZu9kDehs9ceXh96eD97AU8RSnYHDUVx2 R5Sw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k191si2190752pgd.449.2018.04.03.09.28.04; Tue, 03 Apr 2018 09:28:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751904AbeDCQ0u (ORCPT + 99 others); Tue, 3 Apr 2018 12:26:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:48616 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751447AbeDCQ0r (ORCPT ); Tue, 3 Apr 2018 12:26:47 -0400 Received: from mail-it0-f54.google.com (mail-it0-f54.google.com [209.85.214.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3537521837 for ; Tue, 3 Apr 2018 16:26:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 3537521837 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f54.google.com with SMTP id e98-v6so23551186itd.4 for ; Tue, 03 Apr 2018 09:26:47 -0700 (PDT) X-Gm-Message-State: ALQs6tAr6VeCvs0X084RQ6yQLGjWspkQZRxIoJ6B8nVmySTxQemg9GMj Ql/3W2OBQxKeGvTNCJPacPLr6dck2Zu08+E+gtZtBw== X-Received: by 2002:a24:2d0d:: with SMTP id x13-v6mr5629152itx.54.1522772806481; Tue, 03 Apr 2018 09:26:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 3 Apr 2018 09:26:26 -0700 (PDT) In-Reply-To: <20180403154156.f37wrzjhuvijzi2i@ast-mbp.dhcp.thefacebook.com> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <20180403154156.f37wrzjhuvijzi2i@ast-mbp.dhcp.thefacebook.com> From: Andy Lutomirski Date: Tue, 3 Apr 2018 09:26:26 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Alexei Starovoitov Cc: Andy Lutomirski , David Howells , Ard Biesheuvel , James Morris , One Thousand Gnomes , Linus Torvalds , Matthew Garrett , Greg KH , LKML , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 8:41 AM, Alexei Starovoitov wrote: > On Tue, Apr 03, 2018 at 08:11:07AM -0700, Andy Lutomirski wrote: >> > >> >> "bpf: Restrict kernel image access functions when the kernel is locked down": >> >> This patch just sucks in general. >> > >> > Yes - but that's what Alexei Starovoitov specified. bpf kind of sucks since >> > it gives you unrestricted access to the kernel. >> >> bpf, in certain contexts, gives you unrestricted access to *reading* >> kernel memory. bpf should, under no circumstances, let you write to >> the kernel unless you're using fault injection or similar. >> >> I'm surprised that Alexei acked this patch. If something like XDP or >> bpfilter starts becoming widely used, this patch will require a lot of >> reworking to avoid breaking standard distros. > > my understanding was that this lockdown set attemps to disallow _reads_ > of kernel memory from anything, so first version of patch was adding > run-time checks for bpf_probe_read() which is no-go > and without this helper the bpf for tracing is losing a lot of its power, > so the easiest is to disable it all. Fair enough. > I think lockdown suppose to disable xdp, bpfilter, nflog, raw sockets + pcap too > otherwise even cap_net_admin can see traffic coming into host. > Similarly kprobe, perf_event, ftrace should be off as well? > I'm reasonably sure that lockdown is not intended to be this far reaching. cap_net_admin can see traffic coming into the host, and I don't think lockdown is intended to change that. David, I think this is exactly why you need to define what "lockdown" means. As it stands, the best argument I've seen involves "blacklisting", but that's a political thing and almost no one involved has any ability to evaluate it. Right now there's a series of patches that check for "lockdown" and seem to disable things that make someone uncomfortable. That's not a good way to design a security feature.