Received: by 10.213.65.68 with SMTP id h4csp91712imn; Tue, 3 Apr 2018 16:12:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+mup0SP5Lrl2urN+r3xiWvn88y4QzNw3Fum5gJ2b0XTFpb6U/+ftTwqHF0bhTu6J0cIAx+ X-Received: by 2002:a17:902:9:: with SMTP id 9-v6mr16677968pla.42.1522797139433; Tue, 03 Apr 2018 16:12:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522797139; cv=none; d=google.com; s=arc-20160816; b=zlWz5tIe50WAbkoub2caMSBO9rNcuw0c4C1kUUEiyWxAGXWCwLiVCDBkt3afS/OUzW R3gSioKbLpthddA16Ez0brZlxdi1ntpOtrKpa6070zyt9jwqAXDskorbKTU/cI0QhcwU CQoQDoNuvpRrSenkvpwMTdDferMFmOTO0D1jxRVhmAicK/zOfjtjYJwc1W5xDwBi1ZKn Xukpo87GuhC6B1iJFzqUOfh2gs/B9MhjOKWWG9V4IMmP6Rejs9eUnbLNxpB1BDqhj4SE 6i3qfR1HuOxW+nuQ0r9GzcKbF/BHU4X+DS5PkifHyc2izWWiAkOUpHGzXQlOSQcNTp8A VaLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=Yzwmkiwoa4jqRLPjqIACXbuNIjH5JUuL1wAA9ANwjIs=; b=bB7AQlnogY5U94nIhSWPY8TYLsuFNg06+rcaugBZFR8Cr3LmWPJl4KtMPltKhYCyAy zUI7HQYolsOsJUvbdae/AgcS7pai4SoQ/Ov7lQ6DrbIpBc7f9PUuU5K29CKg/WExV3GP F6bkAFQ1E59PZ6duWyvZ64lEdFc7MsVFzuku24USD65s9WrrxddcxoDgYp9E0J7oTAnA va8YhBzeVRrgYdTXz10pwc/2AxIM4FecUbAsKtZHNAOcYEfc+WjkGlNjEWc9U6aX6wg0 LT7nrgf0dk+0DaXMI9gLF0AcgUCddIsFTxlXHLpQBYRkEu2RvY6mQcFKUJaWERrV3YHT vtnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d16-v6si4121087plj.220.2018.04.03.16.12.05; Tue, 03 Apr 2018 16:12:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755592AbeDCWx3 (ORCPT + 99 others); Tue, 3 Apr 2018 18:53:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:51908 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755503AbeDCWxZ (ORCPT ); Tue, 3 Apr 2018 18:53:25 -0400 Received: from mail-it0-f47.google.com (mail-it0-f47.google.com [209.85.214.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1C3C72178C for ; Tue, 3 Apr 2018 22:53:25 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1C3C72178C Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f47.google.com with SMTP id u62-v6so14162917ita.5 for ; Tue, 03 Apr 2018 15:53:25 -0700 (PDT) X-Gm-Message-State: ALQs6tBiYpAg1k2MBs/LCz0rBBLtjYAaNp2XgXQrbwr0BP67J8dY3CFh ltxk8eGMVxNn2Ltsp2kioP1CcTqbgwTSgXJs67+Y3g== X-Received: by 2002:a24:2d0d:: with SMTP id x13-v6mr6901142itx.54.1522796004525; Tue, 03 Apr 2018 15:53:24 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 3 Apr 2018 15:53:04 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 3 Apr 2018 15:53:04 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Linus Torvalds , Andrew Lutomirski , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 3:51 PM, Matthew Garrett wrote: > On Tue, Apr 3, 2018 at 3:46 PM Linus Torvalds > > wrote: > >> For example, I love signed kernel modules. The fact that I love them >> has absolutely zero to do with secure boot, though. There is >> absolutely no linkage between the two issues: I use (self-)signed >> kernel modules simply because I think it's a good thing in general. > >> The same thing is true of some lockdown patch. Maybe it's a good thing >> in general. But whether it's a good thing is _entirely_ independent of >> any secure boot issue. I can see using secure boot without it, but I >> can very much also see using lockdown without secure boot. > >> The two things are simply entirely orthogonal. They have _zero_ >> overlap. I'm not seeing why they'd be linked at all in any way. > > Lockdown is clearly useful without Secure Boot (and I intend to deploy it > that way for various things), but I still don't understand why you feel > that the common case of booting a kernel from a boot chain that's widely > trusted derives no benefit from it being harder to subvert that kernel into > subverting that boot chain. For cases where you're self-signing and feel > happy about that, you just set CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT to n and > everyone's happy? I would like to see distros that want Secure Boot to annoy users by enabling Lockdown be honest about the fact that it's an annoyance and adds very little value by having to carry a patch that was rejected by the upstream kernel. -Andy