Received: by 10.213.65.68 with SMTP id h4csp3907611imn; Tue, 3 Apr 2018 12:50:42 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+UFGEiMAuKDJLSa7kwY2wH9uVfHEfDQPkFD2FOxFVzj0OU5vWBUTLmzHcNgmKuTFJLxca+ X-Received: by 10.98.155.12 with SMTP id r12mr11569809pfd.15.1522785042645; Tue, 03 Apr 2018 12:50:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522785042; cv=none; d=google.com; s=arc-20160816; b=pD4117bJH6p1HwUZOc9XysEE+imEzxU2hQBHFRwbtn+36UQuKXV2yaGo58Atq6qNdv lm+KegY32G9rlgdL6tRBSc+DMo7cBe4zDbWZ26AoAkGZmolzirjQUK11jQpADfXpb29L xpeUJOIp2MrNMCCsBK4UKcT2K2maxZJ432fveAOWSe7D5+aIt7H9NPGkefa4ke5GUE2f Yla2nIucJVPx8Aa1gsOD27Mc8h3sqqPmY0o+omyTUxV3d231pJ+SXKciENBP5jIBwXzG LMGbyrxTRejzMHHZ1V7uxCDqJgDQOcFLfLrVAqnNPN7Nbh7+pfIo/6PDgSaKclXZFY7w EMYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-transfer-encoding :mime-version:subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=0neicEgUgKAbNd3OwQbytsINsHpSLTXiEAiu1uwNJjk=; b=GYcDoh3CLavY4bacqKZhSe7nUF8uHRG3dKPdnugrbmNc766pLJxIIVmfi8ubeiNj8S d43VgieGlVVDMuvHyo6nX6NAWOT256S3GilK0JfJWrmxEEXUkS4cEUduGjxIwdpXRIBT ZxghiYiYgIjC8MxW4BPqUswV9m1SMtAKPbH4WeUcA84UqnYunh4ksobHbg/g2Fpynpzi 0s2Iic0KwCkpmGICX75POZTjBavi0kawRJ2SdVApwqGnzyT+6R5z2Nna90kcXuyUCnhv WlKkOE9ZeCDbuinPQIVrw54cynbOhv3h9gJsMBz377eu/WBLw+eVw+VUj+Ks8Tteyqb6 P2Gw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o69si2691527pfi.322.2018.04.03.12.50.28; Tue, 03 Apr 2018 12:50:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753183AbeDCTtP convert rfc822-to-8bit (ORCPT + 99 others); Tue, 3 Apr 2018 15:49:15 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:46660 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752420AbeDCTtN (ORCPT ); Tue, 3 Apr 2018 15:49:13 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 86271722EA; Tue, 3 Apr 2018 19:49:12 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-59.rdu2.redhat.com [10.10.120.59]) by smtp.corp.redhat.com (Postfix) with ESMTP id D31FA2022C16; Tue, 3 Apr 2018 19:49:09 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> To: Andy Lutomirski Cc: dhowells@redhat.com, Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Date: Tue, 03 Apr 2018 20:49:04 +0100 Message-ID: <13189.1522784944@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 19:49:12 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Tue, 03 Apr 2018 19:49:12 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Andy Lutomirski wrote: > >>> A kernel that allows users arbitrary access to ring 0 is just an > >>> overfeatured bootloader. Why would you want secure boot in that case? > >> > >> To get a chain of trust. > > > > You don't have a chain of trust that you can trust in that case. > > > Please elaborate on why I can’t trust it. If the user can arbitrarily modify the running kernel image, you cannot trust anything. You cannot determine the trustworthiness of something because your basis for determining that trust can be compromised. > Please also elaborate on how lockdown helps at all. Stopping the kernel from being arbitrarily modified allows you to preserve your trust. Stopping the kernel from being arbitrarily read stops any encryption keys it may be using from being retrieved. And, if you can't guarantee the trustworthiness of your own image, you can't pass the trust onto the next image that you kexec. Now, I can't guarantee that my patches close every hole, they just close all the holes I know about - including some obscure ones like using DMA-capable ISA devices to hack/access the kernel image. David