Received: by 10.213.65.68 with SMTP id h4csp35777imn; Tue, 3 Apr 2018 14:59:46 -0700 (PDT) X-Google-Smtp-Source: AIpwx49RoJfKb7CbGDSr9jdXyfGt4pluTI60O/squG4U+gALD+JKWpTCFMDrlPmolv6Z1RTTYDO6 X-Received: by 2002:a17:902:3181:: with SMTP id x1-v6mr16195542plb.338.1522792785997; Tue, 03 Apr 2018 14:59:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522792785; cv=none; d=google.com; s=arc-20160816; b=zXP+YwuWcngfjk7O/Zw5PuFsdQteWoQw5hy59sLyoYzHsksdnXM+I0ARtT4vXdNGY1 40hGxJ2xUyNyot1pyoNgNjSjKxdFqzelq8DHSWIdEXPIujBcR/FU4XoJ4K3jjXO5qUkd dGoWY3o3QKCK0GfdFxe8N141m21Dvs7SmBf5s9JoBtIBxcuY4H1uQ5brhUv+Jz3ZxtIz tM8bSPUQPFJcgAY+1p2GChLjzBpShS89P5X5hqhcI687S5Ot6CBIUkIjtPBVDyfTyevr miiu8KFSjO/Tw6OpOF3P1ogkrAc7Phw1qnL7kY/AnIjLVTdnLnvEY8qphjONJVmZBXNO OR8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:references:in-reply-to:mime-version :dmarc-filter:arc-authentication-results; bh=aLadqJLZU3rTU3umF+AjltT+TTb0pOHFd4pIYrKCIgo=; b=avgbZNEBaoQd7/sf51Wrf3pMSW/1+vkf/B361tJj2Yk2gnpEPcyE8Ywbr0BZbeAs7z ordvDnGWYiPp5V3tc+mnNrdP0TNQyjwSdHycwj2c54Pzujs8zZbR2LsOfKER0xndNEOE t54uCQ7Ur1NRgAiX+gKJnCt+7AlcvFY0IiRWWK7eAeEqFq03aS8kuGrAJHL+7TVExwUj /YoXMDsOuotqFsPmMSsmwJpHwRG9V0Dy0mSuvEZU1WYrHIxJFiR8FQtp6fPQLzGTdCMl 4e3Rmd7v5oAllORPn/c3TtC2u1hzCz8d937B4JYVpBCWkTpYZqBZBGP+obnxOne91tuE K8oA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u24si1051051pfh.326.2018.04.03.14.59.32; Tue, 03 Apr 2018 14:59:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753918AbeDCV6Z convert rfc822-to-8bit (ORCPT + 99 others); Tue, 3 Apr 2018 17:58:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:48674 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753843AbeDCV6W (ORCPT ); Tue, 3 Apr 2018 17:58:22 -0400 Received: from mail-io0-f179.google.com (mail-io0-f179.google.com [209.85.223.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 32895217CE for ; Tue, 3 Apr 2018 21:58:22 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 32895217CE Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f179.google.com with SMTP id d7so23828032ioc.11 for ; Tue, 03 Apr 2018 14:58:22 -0700 (PDT) X-Gm-Message-State: AElRT7HCL+OFfSDNTrKvp+gwsBdE36MkbmiID9P4qjDaE+nugp0XYDCY UmXjlWg94Kp+uXW0X9uFDyWrs75VbaljUMOE+JpBkA== X-Received: by 10.107.89.10 with SMTP id n10mr13957364iob.67.1522792701598; Tue, 03 Apr 2018 14:58:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 3 Apr 2018 14:58:01 -0700 (PDT) In-Reply-To: <13189.1522784944@warthog.procyon.org.uk> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 3 Apr 2018 14:58:01 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: David Howells Cc: Andy Lutomirski , Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 12:49 PM, David Howells wrote: > Andy Lutomirski wrote: > >> >>> A kernel that allows users arbitrary access to ring 0 is just an >> >>> overfeatured bootloader. Why would you want secure boot in that case? >> >> >> >> To get a chain of trust. >> > >> > You don't have a chain of trust that you can trust in that case. >> > >> Please elaborate on why I can’t trust it. > > If the user can arbitrarily modify the running kernel image, you cannot trust > anything. You cannot determine the trustworthiness of something because your > basis for determining that trust can be compromised. I'm having a very, very hard time coming up with a scenario where I can "trust" something if an attacker can get root but can't modify the running kernel image but I can't "trust" something if the attacker can't. About the only think I can come up with is that root generally has a hard time directly reading kernel keyring data. But if we really think that kernel keyring data is so sacred, let's please solve it properly using SGX or some hypervisor doodad like Microsoft's Credential Guard. Protecting the keyring with lockdown is a whole lot of annoyance without all that much gain. > >> Please also elaborate on how lockdown helps at all. > > Stopping the kernel from being arbitrarily modified allows you to preserve > your trust. If I build a voting machine, an ATM, or a server that runs Panera Bread's website, I can certainly issue a press release that says "hey, the bad guy just downloaded tens of millions of customer records, but they didn't actually get to run CPL0 code, so all is well." > > Stopping the kernel from being arbitrarily read stops any encryption keys it > may be using from being retrieved. If I build a server that runs Panera Bread 2.0's website, and the attacker exploits my machine to steal tens of millions of customer records by getting the machine to talk to some database server using keys that are securely stored in the kernel keyring, I would feel sooooooo much better knowing that the attacker didn't also manage to extract the key that lets the machine talk to the database server. Never mind that the attacker already stole the entire contents of the database.