Received: by 10.213.65.68 with SMTP id h4csp96645imn; Tue, 3 Apr 2018 16:19:09 -0700 (PDT) X-Google-Smtp-Source: AIpwx48htTyMKfSuJxTlOs3KMaPzKmWDJx0pQqeAx2UXKwmrLH19Yxo8rB7VXdLZZBZ2RRfIFpj7 X-Received: by 10.99.113.85 with SMTP id b21mr10311520pgn.415.1522797549836; Tue, 03 Apr 2018 16:19:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522797549; cv=none; d=google.com; s=arc-20160816; b=P4Cbw6oylZQw6qhh8LfxYc2erlWGfgiDdE0b2ycF0z80VehKXRUsLEppMDdJAVjBQR XsTxDLyMz3UHTEW63BPE74pQrSF42oPjT7XPgispPxQtYyFQlZgNrwZ1oSiiEEC/KTel wZzU8/QCTiiUS9BpA/CcxmI/8066js0+afj0rsc0161OrvoVR7YWE5JePs4W8e01kmlw vFMz9DVbO4rIOfwMRgbCakdFJ9kEbWr3vBIwZ9mK90N3dmutI7AJu+AB3dJEWIbpcLE5 Imr1th8ZePtuGE2PbsOaAOmSt7HTho9grYYJl1phzZeRsCKvh2cwopf0lz4LCWP4CimA 2a+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=; b=R1GbRAtTFjDOTY/o9i/p9JIX8+nfUb9YCBNVAgDpdxiFvANAY9j9oIEIwt5wtAhdKb TzMtCQZmNxoHJvYGiaUJoLLpnS2i46mIuwfIcUyAS+ftn79pbJIyqOPWR2iljk0lXknK 0HpjfdGSQL+2cvrxBlhW8cEDsbVhcf0/VPS2Lwm5CjtlNCk6gNNWDJ2WK2aks5XkA0wq a3rppxYojF+5i9YNdNsf5o9eneAFWVT1uGm+qg8eKjy3xXN54qbwZnm8aAXlwm6TC5qo 2wP0DBSFHF167cov9S+3efiOAd30KYjv8IsHJSD9/CSWR3nCpaUNzoNWNInWnvz7sxX0 pwIw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ABistlYv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l61-v6si1718565plb.568.2018.04.03.16.18.55; Tue, 03 Apr 2018 16:19:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=ABistlYv; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755543AbeDCXRn (ORCPT + 99 others); Tue, 3 Apr 2018 19:17:43 -0400 Received: from mail-io0-f195.google.com ([209.85.223.195]:41955 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753592AbeDCXRl (ORCPT ); Tue, 3 Apr 2018 19:17:41 -0400 Received: by mail-io0-f195.google.com with SMTP id m83so24021976ioi.8 for ; Tue, 03 Apr 2018 16:17:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=; b=ABistlYvmiuADN3Y4ZK6SW+Qumd0JkirrVCnJH71422J8O22CEPBPfxeA72aWLbUq6 pqrEn9MJ0p7HDQa2gVYhq9j/sp1wRYORIZLbnoYpWp31lrzyBZ0uyDKcvc9yC49pzBhn msUvQhYnYKyNnXvzTQONcRrOwhLfS3bRanU3RpQ67mrKKou69ihj5OOlXVgbXU4mP/yh nO/Ko5S1A/v6CxWLIU0ONCsfH0TAD2eKLITz+A5IwxNWMGwN5DIqA8ETVWT80VYi2v2f yw/ZDOqtDC5PE8qqU2jC42a6K/Uc8Xk/SBTFdV2HZhARmfy4iFupEKI6eJQMg5gSrphK 1Gtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=; b=tN+/mTQfNvLvNjG4wBXhlECu68XjCR2ECBSgtxV+eyRa7T9y/2rixnj3Ecqjc5S5dm o9E7DDt4WAaNXTpz8Ya0xT9sHUqRSnO3dCVmqNpgpcsxFJErII2t/u2yAaYA3rBuvNPA mC8JagqbgCqIyhLv7WKJJHhclEWwL3FrAOV3RlMbSSPox6i9/tdvlui4IbU9NAcU5vNa zYhY9zRTmzzgxCpkKQp5gOpSeHIzA02YshsqL4dQvCF12++BwE6xyiQwdAOo6o9djtld bpw6yAI/6jkvUDW2Vq1F6XydoTWlGl9U5ZrAz8Z6onA1tr7WmSs2kBffGEuMzCLL0ZK7 N9iA== X-Gm-Message-State: ALQs6tCtIIQI3XdBrppwam/Y0EO179xK99m1BKs3ETj9nPbZZKJeyj3d EBiCf10kSEnBJ51awK7+Oe7c8qIdwsKB+DiyJo9grw== X-Received: by 10.107.8.32 with SMTP id 32mr13516562ioi.136.1522797459759; Tue, 03 Apr 2018 16:17:39 -0700 (PDT) MIME-Version: 1.0 References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> In-Reply-To: From: Matthew Garrett Date: Tue, 03 Apr 2018 23:17:29 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Linus Torvalds Cc: luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 4:08 PM Linus Torvalds wrote: > That's not the right approach to begin with, Matthew. The onus is on > *you* to explain why you tied them together, not on others to explain > to you - over and over - that they have nothing to do with each other. 1) Secure Boot is intended to permit the construction of a boot chain that only runs ring 0 code that the user considers trustworthy 2) Allowing arbitrary user code to run in ring 0 without affirmative consent on the part of the user is therefore incompatible with the goals of Secure Boot 3) This patchset provides a mechanism to alter the behaviour of the kernel such that it is significantly more difficult for arbitrary user code to run in ring 0 without affirmative user consent 4) Providing a mechanism for automatically enabling this behaviour when running in a context that is intended to restrict access to ring 0 is a rational thing to do, because otherwise it is difficult to achieve the objective in (1) Alternative approaches to achieve (1) rely on severely constraining userland - ChromeOS, for instance, doesn't impose these restrictions at present but also doesn't allow users to run arbitrary applications (you're stuck inside either the Chrome or Android sandbox). So, if the goal is to achieve (1) when the platform is in this state, what's a more reasonable alternative?