Received: by 10.192.178.70 with SMTP id s6csp3197415imc; Tue, 3 Apr 2018 14:10:40 -0700 (PDT) X-Google-Smtp-Source: AIpwx48jvf1UvxvaMXcZzzAtUzvEvBY8LmSisTWvijOq25e8k3jVl8JSmMAfbJuy3ans2y1bv0Uq X-Received: by 10.99.123.19 with SMTP id w19mr9782172pgc.405.1522789839957; Tue, 03 Apr 2018 14:10:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522789839; cv=none; d=google.com; s=arc-20160816; b=bYN72u6mUSkBFACZsJJ6gwcM42ndFZpaB54rbyHyqpGGb+yqsy3n36XQ90EmiqqfKY GnbEtU44bKXDbun5jeDNgQXpMcDUoF+aJDpwu2PtheTYGtQM87FgtZKWra/X+1aBRJu7 WGNjt4Yt4KWGMvoGfETtAvhbE0Ukod69wwwGUfKZs3FzLLcYBhflwOIH05+YbSVOfN7Y AG7LM4KuIilrAidcTFxFoJ8/rTU5N/Z9ONA6MA5xhJuzBxiFYt+yymf+ZBZw+0GL4JOA w8r/H9cj8RsgWkR+dVmmeAaGr11PVABl22kUv4qaSBHCC6/rYhlotWhTbAx9E78FzVlN xIfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=tvQhuVCWigOMrjkifZ7uwCCUAVa3PaiNo1aNMLF7HDw=; b=bK2njZ265YnBDhdTFWGQuARAtiOI+2X3YnOtVdlqjEezskAmUx7DyNoD+3LBmdAcMI Q4T2lg6faXai1pJO7+F8DSxUW6Qq+4ycJn64F01Rlb1PMSjgtvPTv5TRhMrT5ZnNQf6+ Vc9o6FEd6OvTp9U3+czkWnE9eXi8fzJa5wBLUWp+k3NgIWVjHrCJUuptv5k5HjI0VxU8 ql7OVpUGLJTpamApdPheyIP1Xhk01mpLb6FsVU2lppcchs5wE4Lok4bSCFlm2PtAGqnl pai2yug6LA6jFTzFdGdiYX7yhSFTHkKpCVWMx1qGzFdCqmAHghSKI1Kofc9wUcs1S1M0 xthQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rYLZlXfu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a17si1218166pgv.164.2018.04.03.14.10.24; Tue, 03 Apr 2018 14:10:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=rYLZlXfu; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752943AbeDCVJK (ORCPT + 99 others); Tue, 3 Apr 2018 17:09:10 -0400 Received: from mail-io0-f196.google.com ([209.85.223.196]:41983 "EHLO mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751179AbeDCVJG (ORCPT ); Tue, 3 Apr 2018 17:09:06 -0400 Received: by mail-io0-f196.google.com with SMTP id m83so23697737ioi.8 for ; Tue, 03 Apr 2018 14:09:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tvQhuVCWigOMrjkifZ7uwCCUAVa3PaiNo1aNMLF7HDw=; b=rYLZlXfupvFNTD1WtYo4/AqOkv7Hu+BcJPCRBDpr5h0EOVE9X1aSKNzRcztGN84Cc+ UFOvgr9Ko4WlPqS1L5xNFD7u58BYCb+ISou0kPL/aWfmibcGhSb5BfMFIHzyazqvfdRd EFa1tQmY/V2arG5jo0Q8Zg5pxfLJeeiF96gsPqKaRONuUOYIRK3ZuJDaRxMoXhKZEtdS chCXNInMIEnoXfwSnCiQvctx8MSESKYwBOjF8R8aQDq9PnGPTBVElGZhHNYf7xt/yc6Q 9ioAQLpZkrOv+8mukHS/e6F/I+zPWw35nSohxvIWO5XXMWN0OdSIjhLzbAnADahTXt1n U9eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tvQhuVCWigOMrjkifZ7uwCCUAVa3PaiNo1aNMLF7HDw=; b=KZgK2eZRynYG64flCVlrC/lihSLeqnpv/5O2Gpgi3U/seTYjIqeldYfIdub/bCtc9G VFx8y3xJlgQ3OLvAsk/DqdG9J/ZQAGRxzedacGW1Pr/saunPNNrPl81uVhAkExvlv3X/ gpz/VHCxk+PasJBalZ2Q23NfUSZTqq0u3BhKZNLmdRsaEkQ2ut6jfqvil+cFQuvWSe0h wmM6Kn+71q/AVXkAr9xZAgrMQ4DrHBa5f4xlsHrquYPlvG/7MODMUTkfNIvARVpua6AK QiL5JAaCacTCMhS2KHoPWURuOFNU/VBANZxjLttx2KF7GhGhIDdoRhftxFIkgLlbEt6E joug== X-Gm-Message-State: ALQs6tBSo/PO1tA04bNW+2S9/0ddOBP6Y9SGTaDiQq7IuiUxjAWpC8y3 gH3sFPUcnKl81m4MS1Yd3P8qBUqgzrepXErCyx16aw== X-Received: by 10.107.8.32 with SMTP id 32mr13189204ioi.136.1522789745462; Tue, 03 Apr 2018 14:09:05 -0700 (PDT) MIME-Version: 1.0 References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> In-Reply-To: From: Matthew Garrett Date: Tue, 03 Apr 2018 21:08:54 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Linus Torvalds Cc: luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 2:01 PM Linus Torvalds wrote: > On Tue, Apr 3, 2018 at 1:54 PM, Matthew Garrett wrote: > > > >> .. maybe you don't *want* secure boot, but it's been pushed in your > >> face by people with an agenda? > > > > Then turn it off, or build a self-signed kernel that doesn't do this? > Umm. So you asked a question, and then when you got an answer you said > "don't do that then". > The fact is, some hardware pushes secure boot pretty hard. That has > *nothing* to do with some "lockdown" mode. Secure Boot ensures that the firmware will only load signed bootloaders. If a signed bootloader loads a kernel that's effectively an unsigned bootloader, there's no point in using Secure Boot - you should just turn it off instead, because it's not giving you any meaningful security. Andy's example gives a scenario where by constraining your *userland* sufficiently you can get close to having the same guarantees, but that involves you having a read-only filesystem and takes you even further away from having a general purpose computer. If you don't want Secure Boot, turn it off. If you want Secure Boot, use a kernel that behaves in a way that actually increases your security.