Received: by 10.213.65.68 with SMTP id h4csp3872939imn; Tue, 3 Apr 2018 12:09:11 -0700 (PDT) X-Google-Smtp-Source: AIpwx486RcEDLCn9W+z4m/PwfO58u5LZKJl/hW/JrlIctd4V3xlmYf2ddHHi9VTmmGbliNRiojjq X-Received: by 2002:a17:902:51ce:: with SMTP id y72-v6mr15180581plh.157.1522782551823; Tue, 03 Apr 2018 12:09:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522782551; cv=none; d=google.com; s=arc-20160816; b=G1xmKG1HEcJyE/CS0XWiZK38yN+NI7LjbWDfqmPxSq8tSJXMXZmhIkhHcjI/+A1+t0 jh12JL4rNe+0FHCJoXjouD0DVdtc/ujHbls0Kl/WDyAMP1KLNqzB1/6i1P9R0U5r77cY LavxDJXKGCNH0LLEt8cHp3trgqPpLWqhvS/tLSIU+M5l3yxQxBaZcQ2Iv7IIeZ2CZKf6 j5cX+qk3pVWmpoaICwrYISwAj3gkCPULboByrymFuV4jfIO5F2dCUFWmnT0YUsDF/Seg XzjhkCuwHi999dAcuFUkv3EXU7LsGMhVzDD00YRKqr4wDdPnf1RZ88or4iPp5ohmYOkV awbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=lKCyJKjH2x2vacLlvWcBuDrznSby3Aac+hGORJjD3UY=; b=qXq/H90900DttF/HD5GOc0Ro9wV6hLOnQMYVtZZ6VVGYERnq6UVSgX4HFaywC+g5Az 6915pgWi+s5s6yM3c/hEnkjL44fx035Akys3z6p8UXSx1KP7wWe/FpRSN9YzU2kYy6Zx 2RFZn7Kr7KL27WGa4Z56QSfSveHjlXJiHKLsK3mYgP2wis/fbm1BLBC1r3F5ttZvHiWg iANPnqeg1fokF9IumJcmuRwS9pD6CzLHNLkTq1Ejgf+fwCxSaGJeCwpvk3yuRYQ7Ddnh p8XEh2mlU+5n6PiHwNx1TYADDNRZHA6DxUODJHAkJjwpRihqZ0JbEb13bX0hEwQOJP17 gGrw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=lzUGREqx; dkim=fail header.i=@chromium.org header.s=google header.b=FOp2W4KV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t13si2417048pgo.247.2018.04.03.12.08.57; Tue, 03 Apr 2018 12:09:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=lzUGREqx; dkim=fail header.i=@chromium.org header.s=google header.b=FOp2W4KV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753292AbeDCTHl (ORCPT + 99 others); Tue, 3 Apr 2018 15:07:41 -0400 Received: from mail-vk0-f68.google.com ([209.85.213.68]:40460 "EHLO mail-vk0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752863AbeDCTHi (ORCPT ); Tue, 3 Apr 2018 15:07:38 -0400 Received: by mail-vk0-f68.google.com with SMTP id x204so4356025vkd.7 for ; Tue, 03 Apr 2018 12:07:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=lKCyJKjH2x2vacLlvWcBuDrznSby3Aac+hGORJjD3UY=; b=lzUGREqxhkzQ+CaQb9m2jWm1zorA6fVTxO1f+LlMYSoft7SSDEH0QW1zxBnUl5OtbC VHvIVY1tV0bKLxz5xqKiq8NuRPmWQp/w6GP1o7prdvNFOCkpkgFEDVq0XpiI6tH9CS8g CYw5y2SG3vc2e9cZECxbXT/5aIA5ieyYVySL18svp8hJuwc4jzyel3h0Iarr/rxjxodi QTFFc1/28mrvEtMNo9qSJU71LJc5fTxM1ellilM3g4NyqobcXT6BolTk6xmmhM8OwEup CpqJBGbJou7dcfPVeWg62MVET68hcnuFN2Anx1QoxkZL7YKNRH1hD41pHwzaP8qNzx87 JhsQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=lKCyJKjH2x2vacLlvWcBuDrznSby3Aac+hGORJjD3UY=; b=FOp2W4KV6IICHNbJ542kkqvSbNd8bdOvqc26gMWAHALCQV5UK6sieClrmaND6uWEcQ Twum30UCvl7huAYgGjbPYQBbmWNvTmy8XP1Ih2iUrvBYViy31Gmns+tsMthivTnEHR8c 9BEyPVQM2djmLifzC3T7wRJnQPZ9QpthQyEmk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=lKCyJKjH2x2vacLlvWcBuDrznSby3Aac+hGORJjD3UY=; b=sNeEhNHGUsn/twWNDDLV1jPZmHoDgULjEtJxUJCT5WelEsw8A5g1qtzqVJTVQHwsAM 0qE0IrUH4h/IvP3uRUqsoR481e2aqnz4i9L7dbixLXczMDmGiObRlmQx2IfPUv9u382n TyZwwWUduabr9rdNzc+p1vQ8/PExmlqpSngLNkHZvyNM8PeVQ71Vrr0COURj3IKygSNi DbNMUFKRwdVkBRIBExRvD/qrRhq0Y5UU7stoB3orpAKCXilaQn5egOJtRFC2U62ACZdz p3h/cssq/f39vJHP2wbdBgjci6Ih537LkEoVCe3xhT02FQewWUeiXqLYQnB7w9tjhtsp c+zg== X-Gm-Message-State: ALQs6tDvJ8SrFZEsoROO9iCS4Kmw54N9ibwxGznq9xitQuNSDuqwMEI/ nEVjcQFlaLsXvUQ0ZodBRYhVsvHkNhvhO4P5PGCQwQ== X-Received: by 10.31.152.214 with SMTP id a205mr9215799vke.96.1522782457038; Tue, 03 Apr 2018 12:07:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.31.164.81 with HTTP; Tue, 3 Apr 2018 12:07:36 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> From: Kees Cook Date: Tue, 3 Apr 2018 12:07:36 -0700 X-Google-Sender-Auth: QuJdwBm2zGPSqTG4VHeZDFp9IKI Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Andy Lutomirski Cc: Matthew Garrett , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 12:01 PM, Andy Lutomirski wrote: > On Tue, Apr 3, 2018 at 11:45 AM, Kees Cook wrote: >> On Tue, Apr 3, 2018 at 9:45 AM, Andy Lutomirski wrote: >>> On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett wrote: >>>> On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski wrote: >>>>> Can you explain that much more clearly? I'm asking why booting via >>>>> UEFI Secure Boot should enable lockdown, and I don't see what this has >>>>> to do with kexec. And "someone blacklist[ing] your key in the >>>>> bootloader" sounds like a political issue, not a technical issue. >>>> >>>> A kernel that allows users arbitrary access to ring 0 is just an >>>> overfeatured bootloader. Why would you want secure boot in that case? >>> >>> To get a chain of trust. I can provision a system with some public >>> keys, stored in UEFI authenticated variables, such that the system >>> will only boot a signed image. That signed image, can, in turn, load >>> a signed (or hashed or otherwise verfified) kernel and a verified >>> initramfs. The initramfs can run a full system from a verified (using >>> dm-verity or similar) filesystem, for example. Now it's very hard to >>> persistently attack this system. Chromium OS does something very much >>> like this, except that it doesn't use UEFI as far as I know. So does >>> iOS, and so do some Android versions. >> >> Correct, Chrome OS does not use UEFI, and we still want this patch >> series, as it plugs all the known "intentional" escalation paths from >> uid-0 to ring-0. Happily, that means all the politics around the UEFI >> and Secure Boot case can be ignored, because those issues are specific >> to Secure Boot, not the lockdown series. (They are _related_, sure, >> but lockdown isn't only about Secure Boot -- it's just that SB is one >> of the widely deployed implementations of this kind of >> trust-chain-booting-thing. Chrome OS and Android's Verified Boot do >> similar things and have the same expectations about the uid-0/ring-0 >> separation.) >> >> The goal for that bright line on Chrome OS and Android is to stop >> attack persistence. We want to know that a reboot onto a new kernel >> and OS image will actually result in getting the desired system state, >> and that any attack on persistent system data (even for things running >> with full root privileges) can't result in using kernel interfaces to >> gain kernel control. This isn't expected to be _perfect_, since >> nothing is. But it creates a place to work from. The idea that uid-0 >> is NOT ring-0 is still relatively new, so the existing designs in the >> kernel aren't well suited to building that distinction. I view this >> series as a solid first step to getting there, though. > > But wouldn't Chrome OS possibly want to lock down kernel memory write > vectors but not read vectors? After all, debugging is useful even on > Chrome OS. Chrome OS absolutely wants to block writing. We also want to block reading as much as we possibly can, though yes we bump up against debugging in that quest. But those cases are manageable and specific, IMO. -Kees -- Kees Cook Pixel Security