Received: by 10.213.65.68 with SMTP id h4csp3866516imn; Tue, 3 Apr 2018 12:02:58 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Ak5t3hn2Lk0zGSNanN8uMj9ky5iWMvPYRbQUy+Qr2UgWdVysETSuDIgByJo4nSG1dnJ93 X-Received: by 10.99.100.68 with SMTP id y65mr10066673pgb.257.1522782178397; Tue, 03 Apr 2018 12:02:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522782178; cv=none; d=google.com; s=arc-20160816; b=KMt+u4zK2xHxsB8HvzjRJJeP2OUwRmOXNF9z6jTK3gqdok30Rc+RwJVNnsOVKZA3wR pAav/TaO9KHyOuNJiYIsBL7SkGTrq3IImQbEwPHCcBTftn5HDLq0wSn2QVPIIojg9BFU a0TSEkaTlVT+P/FaVhW9IcqJJYHwf/0g/+XHftb/3HRqqzjduuacLMen3ll342i+eXLr Cs3BilKoTTJzcf0KbqGnUFtGqww1UtTQvYwyQ2cR8mJEgb28Ro3ZzssVCnBuOFsmZWXR zdS9eOXJ/OXRg2CorLieoiOZfjJXQz+1gbRIaeMSLD2moLccWmiNrKZ8D1nue4zxRtCd zMAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=fWm2ovdp8xa/Fty+RyTrIUdfcWHKAUk9oftHZGMFBeg=; b=uSdRJ7gQcBOAzHKCdBu4t4dmuhLFrR78fu5G4YThrz6yNuYqynQLaF0eUvvzzWyCfH MpT5bWEuTf/uBTL5pk2WdkRRGvpYuSujZ4c9lsPZVXrnlapTThh46XctUMk5kGObMFDO 8oYe4AIsGvcHTqQafH6rQx5d5Rc3LO6ztqW5/hXHmyzKDaFih9OYMA4yivQtvBW6YLBr nkDzB8f+UzVQIm5gPKlMmq+DHgnrJigSX5BzPIfU60Zm3uNbxWBZsGXyZY4KUVl9bfOx ebDx4gbj2YUbA0rrOvw4nFQwey5ctvR7yswae5D1NAJ0/Lox3j3tHhOvg/6E7CR6TJqT 4teg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n24si2570472pff.382.2018.04.03.12.02.44; Tue, 03 Apr 2018 12:02:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753183AbeDCTBZ (ORCPT + 99 others); Tue, 3 Apr 2018 15:01:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:35026 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752881AbeDCTBX (ORCPT ); Tue, 3 Apr 2018 15:01:23 -0400 Received: from mail-it0-f49.google.com (mail-it0-f49.google.com [209.85.214.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6C0E421837 for ; Tue, 3 Apr 2018 19:01:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6C0E421837 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f49.google.com with SMTP id 19-v6so24171515itw.3 for ; Tue, 03 Apr 2018 12:01:22 -0700 (PDT) X-Gm-Message-State: ALQs6tApfimeK6JL3HE6faaKwqXKIHOWMv62PAQDB5DhO2nOfD+i+4fY 9fN2Do3pyQk4J7GzQeMh46YqBiDD1PiigzBAKaojvQ== X-Received: by 2002:a24:2d0d:: with SMTP id x13-v6mr6179805itx.54.1522782081597; Tue, 03 Apr 2018 12:01:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 3 Apr 2018 12:01:01 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 3 Apr 2018 12:01:01 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Kees Cook Cc: Andy Lutomirski , Matthew Garrett , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 11:45 AM, Kees Cook wrote: > On Tue, Apr 3, 2018 at 9:45 AM, Andy Lutomirski wrote: >> On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett wrote: >>> On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski wrote: >>>> Can you explain that much more clearly? I'm asking why booting via >>>> UEFI Secure Boot should enable lockdown, and I don't see what this has >>>> to do with kexec. And "someone blacklist[ing] your key in the >>>> bootloader" sounds like a political issue, not a technical issue. >>> >>> A kernel that allows users arbitrary access to ring 0 is just an >>> overfeatured bootloader. Why would you want secure boot in that case? >> >> To get a chain of trust. I can provision a system with some public >> keys, stored in UEFI authenticated variables, such that the system >> will only boot a signed image. That signed image, can, in turn, load >> a signed (or hashed or otherwise verfified) kernel and a verified >> initramfs. The initramfs can run a full system from a verified (using >> dm-verity or similar) filesystem, for example. Now it's very hard to >> persistently attack this system. Chromium OS does something very much >> like this, except that it doesn't use UEFI as far as I know. So does >> iOS, and so do some Android versions. > > Correct, Chrome OS does not use UEFI, and we still want this patch > series, as it plugs all the known "intentional" escalation paths from > uid-0 to ring-0. Happily, that means all the politics around the UEFI > and Secure Boot case can be ignored, because those issues are specific > to Secure Boot, not the lockdown series. (They are _related_, sure, > but lockdown isn't only about Secure Boot -- it's just that SB is one > of the widely deployed implementations of this kind of > trust-chain-booting-thing. Chrome OS and Android's Verified Boot do > similar things and have the same expectations about the uid-0/ring-0 > separation.) > > The goal for that bright line on Chrome OS and Android is to stop > attack persistence. We want to know that a reboot onto a new kernel > and OS image will actually result in getting the desired system state, > and that any attack on persistent system data (even for things running > with full root privileges) can't result in using kernel interfaces to > gain kernel control. This isn't expected to be _perfect_, since > nothing is. But it creates a place to work from. The idea that uid-0 > is NOT ring-0 is still relatively new, so the existing designs in the > kernel aren't well suited to building that distinction. I view this > series as a solid first step to getting there, though. > But wouldn't Chrome OS possibly want to lock down kernel memory write vectors but not read vectors? After all, debugging is useful even on Chrome OS. --Andy