Received: by 10.213.65.68 with SMTP id h4csp3958967imn;
        Tue, 3 Apr 2018 13:54:46 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49YwROhxgk5KAULYvnN0PAJcaiXa2QU0HSB4MkLyCOYMlivyA1oS8G8WkOn8Zyhwy8iJA54
X-Received: by 10.98.11.144 with SMTP id 16mr11699728pfl.228.1522788886636;
        Tue, 03 Apr 2018 13:54:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522788886; cv=none;
        d=google.com; s=arc-20160816;
        b=vkzj0w0MC4yQJw7A/epZmj/0SMpCDOx96JMbVEBOSk7wQKQJJ3AWUjfEJ1cC0yGasa
         JdBikCEiDYQ/Pyy6FxS1l5TiK/auljBhxfnWlBMJb3GpooekMJAZwBNdVkJswJIX+A7s
         rrLkTcMjaPilEa627qoeUHhefRYDaNwxurZ+vBFb/75DwfCZwbjEBnRkIfF8MpZZONU6
         IdEJbrTbPcQ3n8TTJn17qkqxXQJ+vHtMUofGJyiu0Knm4r0p9vDF8jIGIfjPDux9KmCR
         4oyIMpcGFvQnG8Kgxcw+nPiGwV2ArDs9rC9W76xl+efS+9Re9iP+V8Vovrdbz+xGEKkH
         dUHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=uaR95jIC4fB4E1sHs75U58xS4ig5dErz4gP5xxri1gA=;
        b=Y57pXs9pyoUU0MCVviZrs1t8sFnwUfREMGf/vWYGMQoHfunb0SvvvMVszyMQNz1H5O
         q4Tx7wWeyRvEIkEOY7SJeVe4OM+LYuJqQc5FL2xgWPiQ8oW5SNt8nt2eZjJ3vII31uco
         /ek4S+Vz2cVaDAyaGx4bEX+Y114DNW8Ow5AZa01rXqmfAXK4V2YKIeWcD9LFpmTroV2n
         BN0AQmuPfdzMwmYcY+2NvPgIKfwR1jxGDLsjPb53qWUGIkXYfXOmaFLFwjDPPdSo4cXL
         Xp1qpKZzXsBdsJB31XKtww/a3ArI1KtZalgoxdJ+V2qU/bwF5H0VKmohsotWtvCcl2/1
         yfdA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=iIY1/HZJ;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=U+XFRM3p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i1-v6si3590596plt.265.2018.04.03.13.54.31;
        Tue, 03 Apr 2018 13:54:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=iIY1/HZJ;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=U+XFRM3p;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753207AbeDCUxK (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 16:53:10 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:37633 "EHLO
        mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752495AbeDCUxH (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 16:53:07 -0400
Received: by mail-io0-f196.google.com with SMTP id y128so23654570iod.4;
        Tue, 03 Apr 2018 13:53:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=uaR95jIC4fB4E1sHs75U58xS4ig5dErz4gP5xxri1gA=;
        b=iIY1/HZJiHOKeP+kEaLOYz9LsbUBLtFDyspeOIoz6GyFAO6TyoMxZS6pCk7VJI1aAH
         z2R0l/IDXL3k32RrR98HqBkWE0p41vJCAIWMwnmMKzEIHpeB6kXQ9xinTWVtb9D90CNf
         Whcd7XXVZSQKBlztth+TwzRzGmzVKW0ugokAxHBeH7JjQ4HYgxGV8T/khA3UniHn/zWo
         XQzJbCZ3d+gPGhH2Qyx1uuWGI4/o/Y3gOfJe2KRWb64dg0mE8ukGTQjsWQ2PBiSLWq8h
         uaCuOofp1pUhB2YxVRd4JTSR40Qr1/c+8mG71XqgoHmUUP+O/Zw2wWNRWw5TBSMVJ2EH
         UUXw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=uaR95jIC4fB4E1sHs75U58xS4ig5dErz4gP5xxri1gA=;
        b=U+XFRM3pgOe0B53HEDClhGRvCOgol3I3a3iLzzaiQVyUrtT4YGQjzrxnfPZdG71Irc
         +QGilWjv/PMNEICSkx+ZhZZt5ZRIB9itvsqBuNjnL9xkNHKluT/ubLlsWjdiR59lm2Pw
         USdBZNb1QQBxlB/YzxuTK1/p2cFWf4SPodVPA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=uaR95jIC4fB4E1sHs75U58xS4ig5dErz4gP5xxri1gA=;
        b=ZcxsnE8mcyZPhWgEJXbeTgX6XZkhtMJjbauygGq+s9ynJHV737+0Si4PGVlvJiM9xq
         Vn4wp5b2zmfjJl5zy6wD2Dta9w1zHJurLHGn+47yeXibpYSQty2rXC6pA0qUhZVBU/0m
         SfNSXMIeJASkuZDA7MTMs7fPdiLkj2VSYpn/o1laex2VVCbNGHZ2vRcejaPEVvpD/fvf
         XTN6vLDwa3U+kHcDOvGBKV/6V0QNnZ1lF6CLEsBCbtc40DB5KStZ88OF9mAWISU88Q9M
         ukmDz49/PaPoxyN5j/lrev6a5toe1z3caKMLRcX6zbxlHxMIy1NrwZmjjJ0ZAAawHZz0
         QFCw==
X-Gm-Message-State: AElRT7GgNIWZHGDwDkuBKqpFk47JqUEy16FpLWcJZ3A93lMbfmZIxlK2
        Ip926EP1pqQPbvjO+XQTmSJUg2mBoqVaN+bsXZI=
X-Received: by 10.107.182.214 with SMTP id g205mr14862506iof.203.1522788786533;
 Tue, 03 Apr 2018 13:53:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 13:53:06 -0700 (PDT)
In-Reply-To: <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com> <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 13:53:06 -0700
X-Google-Sender-Auth: 438gIRbonk9XzwExN1seccqPHiw
Message-ID: <CA+55aFy5EPxAyqyGGaYUUyakuLbjXHiseWCkz-oNdo=Y-878tg@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett <mjg59@google.com> wrote:
> On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski <luto@kernel.org> wrote:
>> Can you explain that much more clearly?  I'm asking why booting via
>> UEFI Secure Boot should enable lockdown, and I don't see what this has
>> to do with kexec.  And "someone blacklist[ing] your key in the
>> bootloader" sounds like a political issue, not a technical issue.
>
> A kernel that allows users arbitrary access to ring 0 is just an
> overfeatured bootloader. Why would you want secure boot in that case?

.. maybe you don't *want* secure boot, but it's been pushed in your
face by people with an agenda?

Seriously.

                  Linus