Received: by 10.213.65.68 with SMTP id h4csp3891991imn; Tue, 3 Apr 2018 12:31:25 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+fHvX3vdlPD6joTWJfsKFy8PXSTgTySUnsUWNGePxQ26XPbuejfBQrd5UcwbHikekIpSPv X-Received: by 10.101.75.66 with SMTP id k2mr9925709pgt.66.1522783885679; Tue, 03 Apr 2018 12:31:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522783885; cv=none; d=google.com; s=arc-20160816; b=B4TlJgTXbwu8+wGsIa3T0PRtZtEm8/QcCVv+Ip5Wu7baA3lKKDPiTE+9uvZTvZiLX+ +sOcj4gwAh95LQ7n/N+3cFs05TnqJMK4aS+wZVSyeEihkktpK245F29xvsCx6IeJsEeE ySat5Zaw1DDwp57L5ZY4Ak+PIo+fopbzuEU1QTY8SDd+NpvJPuLHn1niBQvEnSpR7fCC JB8laCdGcEU47iTMIfhF6nUhYCVoh4qPeNvX7A8PEtYWTPAlNcKkNFN9qam+nc8UiVJr Pusuu6cJ3RwKuNKI6gzNzgkXckXcRm+ZXea3enbkbvvRJxEXViXbhKaGtK1uKQVXBTWM rImQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=BKK44XBCWuobLjb8DPS1uZcBZUHkFx0bcHOm0HCpoyw=; b=co9rxu1SPDXGCfO5lo7ywETc2W/RpnZy9foh53x89gOUI8pL8+DV4tOhHCi0StOFhr RfIeo7ejitkbDGaW2hwwFb0K9ZwCN4jQTyznQvhOfLNRTNMSCAPvWKnO/7jds+rniULT hlAHke1TNp41xfjNIJTVR5iNgtGARmDE/wnr7HkT4HSm0GgL2ERG8DdmpejDG5b6ald4 GhjMxekYXb9fHouoXmZ/QNvP3VTLMbMzKMEcxM7qpIZ2SV4cc0MPAlFnfWmZQfbVHbEd lG7BMtkciUd5Kp0MfwMe4XUwIA08xjpru+dMbKU3GIGZQLC5DdN135JYhXCTCCxQw+ke hJnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kHoXd9wb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k9-v6si1164535plt.438.2018.04.03.12.31.10; Tue, 03 Apr 2018 12:31:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=kHoXd9wb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752240AbeDCTaC (ORCPT + 99 others); Tue, 3 Apr 2018 15:30:02 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:44737 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751749AbeDCT37 (ORCPT ); Tue, 3 Apr 2018 15:29:59 -0400 Received: by mail-io0-f195.google.com with SMTP id d7so23359915ioc.11 for ; Tue, 03 Apr 2018 12:29:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BKK44XBCWuobLjb8DPS1uZcBZUHkFx0bcHOm0HCpoyw=; b=kHoXd9wbzwZ5jzkbaLhw3GyrpuSImu28lPriUymOyhkW4dRxJ7Oeqv6vo0X7gcJjsV 8tChyq5ZiVX8Br/hTRkIBqc6TF3rf6Tbiy3GLdpzpZ6Mi5SlwV0A5l12/QDGmxBfOrOA q7ynBqaxPheNN6S85VXw7ABsNt0sFQPchWdHJ8KJ9RlRFNjYPYFAEEVzFd9BzPXX53/0 sYWqFZLhKWasyrXyDbN/Xo7LywTkxwJ+Om0Y+pmDXSoXIYcIhyOGA1MTAXqxWBxlI7Mi HkEWesdPKnCXS4hFx2MpWAKy/owfcXb1WKElqT6m9r1Pz5wDE1okjLee38dKBbxwC6Wx qxoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BKK44XBCWuobLjb8DPS1uZcBZUHkFx0bcHOm0HCpoyw=; b=bMk9ZOI1tU9AXTxFZe7qiGJ6ER7QsmjA3APfCBYkkPX4fXi1W1iVUZYai4b7t/fE7t wNeFQ6jmltXwx2Crrnn95DOWV2BrzUZDuBKhZv6aNJKYpfXzg1bn9feEPl4aRWkEv13u 5IieJXrpfcTvK04nKMnfRwdsIZHaI/bb7BU5qetqopkv+AVjCLGBsa029va9UoBOwRTs gt2RHDGAkwIOzq0SNd33wppx39/eb/6FBcAOJGpVRWiERcQfQD7YU2sklmkQpaBIInsr zHqplQpsp/uEEA0JOK1pLbjYrhk780PfMliYpzHmXAAtJZaNliPYplQm/slsIKGFT4Mu 2DoA== X-Gm-Message-State: ALQs6tA/IowVvl89rsBCbFNhirJIgZmyEOGatIYgDtH4TZ588ym1vXP2 /FBRXHGZ/R+NbDHXUUJJb+CrSvAuq9fz435a4Kf38w== X-Received: by 10.107.11.198 with SMTP id 67mr13306792iol.43.1522783798494; Tue, 03 Apr 2018 12:29:58 -0700 (PDT) MIME-Version: 1.0 References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> In-Reply-To: From: Matthew Garrett Date: Tue, 03 Apr 2018 19:29:47 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: luto@kernel.org Cc: David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 9:46 AM Andy Lutomirski wrote: > On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett wrote: > > A kernel that allows users arbitrary access to ring 0 is just an > > overfeatured bootloader. Why would you want secure boot in that case? > To get a chain of trust. I can provision a system with some public > keys, stored in UEFI authenticated variables, such that the system > will only boot a signed image. That signed image, can, in turn, load > a signed (or hashed or otherwise verfified) kernel and a verified > initramfs. The initramfs can run a full system from a verified (using > dm-verity or similar) filesystem, for example. Now it's very hard to > persistently attack this system. Chromium OS does something very much > like this, except that it doesn't use UEFI as far as I know. So does > iOS, and so do some Android versions. None of this requires lockdown, > or even a separation between usermode and kernelmode, to work > correctly. One could even do this on an MMU-less system if one really > cared to. More usefully, someone probably has done this using a > unikernel. That's only viable if you're the only person with the ability to sign stuff for your machine - the moment there are generic distributions that your machine trusts, an attacker can use one as a bootloader to compromise your trust chain. Since most UEFI secure boot systems have to trust generic distributions (if you don't trust the third party signing key then your GPU won't post), the ecosystem depends on it not being possible for people to use generic distributions as bootloaders.