Received: by 10.213.65.68 with SMTP id h4csp96645imn;
        Tue, 3 Apr 2018 16:19:09 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48htTyMKfSuJxTlOs3KMaPzKmWDJx0pQqeAx2UXKwmrLH19Yxo8rB7VXdLZZBZ2RRfIFpj7
X-Received: by 10.99.113.85 with SMTP id b21mr10311520pgn.415.1522797549836;
        Tue, 03 Apr 2018 16:19:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522797549; cv=none;
        d=google.com; s=arc-20160816;
        b=P4Cbw6oylZQw6qhh8LfxYc2erlWGfgiDdE0b2ycF0z80VehKXRUsLEppMDdJAVjBQR
         XsTxDLyMz3UHTEW63BPE74pQrSF42oPjT7XPgispPxQtYyFQlZgNrwZ1oSiiEEC/KTel
         wZzU8/QCTiiUS9BpA/CcxmI/8066js0+afj0rsc0161OrvoVR7YWE5JePs4W8e01kmlw
         vFMz9DVbO4rIOfwMRgbCakdFJ9kEbWr3vBIwZ9mK90N3dmutI7AJu+AB3dJEWIbpcLE5
         Imr1th8ZePtuGE2PbsOaAOmSt7HTho9grYYJl1phzZeRsCKvh2cwopf0lz4LCWP4CimA
         2a+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=;
        b=R1GbRAtTFjDOTY/o9i/p9JIX8+nfUb9YCBNVAgDpdxiFvANAY9j9oIEIwt5wtAhdKb
         TzMtCQZmNxoHJvYGiaUJoLLpnS2i46mIuwfIcUyAS+ftn79pbJIyqOPWR2iljk0lXknK
         0HpjfdGSQL+2cvrxBlhW8cEDsbVhcf0/VPS2Lwm5CjtlNCk6gNNWDJ2WK2aks5XkA0wq
         a3rppxYojF+5i9YNdNsf5o9eneAFWVT1uGm+qg8eKjy3xXN54qbwZnm8aAXlwm6TC5qo
         2wP0DBSFHF167cov9S+3efiOAd30KYjv8IsHJSD9/CSWR3nCpaUNzoNWNInWnvz7sxX0
         pwIw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ABistlYv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l61-v6si1718565plb.568.2018.04.03.16.18.55;
        Tue, 03 Apr 2018 16:19:09 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ABistlYv;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755543AbeDCXRn (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:17:43 -0400
Received: from mail-io0-f195.google.com ([209.85.223.195]:41955 "EHLO
        mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753592AbeDCXRl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:17:41 -0400
Received: by mail-io0-f195.google.com with SMTP id m83so24021976ioi.8
        for <linux-kernel@vger.kernel.org>; Tue, 03 Apr 2018 16:17:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=;
        b=ABistlYvmiuADN3Y4ZK6SW+Qumd0JkirrVCnJH71422J8O22CEPBPfxeA72aWLbUq6
         pqrEn9MJ0p7HDQa2gVYhq9j/sp1wRYORIZLbnoYpWp31lrzyBZ0uyDKcvc9yC49pzBhn
         msUvQhYnYKyNnXvzTQONcRrOwhLfS3bRanU3RpQ67mrKKou69ihj5OOlXVgbXU4mP/yh
         nO/Ko5S1A/v6CxWLIU0ONCsfH0TAD2eKLITz+A5IwxNWMGwN5DIqA8ETVWT80VYi2v2f
         yw/ZDOqtDC5PE8qqU2jC42a6K/Uc8Xk/SBTFdV2HZhARmfy4iFupEKI6eJQMg5gSrphK
         1Gtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=NCmGzsvL6/aGFpMTDzlo9itRmN8EABWULdG4VGXqR2w=;
        b=tN+/mTQfNvLvNjG4wBXhlECu68XjCR2ECBSgtxV+eyRa7T9y/2rixnj3Ecqjc5S5dm
         o9E7DDt4WAaNXTpz8Ya0xT9sHUqRSnO3dCVmqNpgpcsxFJErII2t/u2yAaYA3rBuvNPA
         mC8JagqbgCqIyhLv7WKJJHhclEWwL3FrAOV3RlMbSSPox6i9/tdvlui4IbU9NAcU5vNa
         zYhY9zRTmzzgxCpkKQp5gOpSeHIzA02YshsqL4dQvCF12++BwE6xyiQwdAOo6o9djtld
         bpw6yAI/6jkvUDW2Vq1F6XydoTWlGl9U5ZrAz8Z6onA1tr7WmSs2kBffGEuMzCLL0ZK7
         N9iA==
X-Gm-Message-State: ALQs6tCtIIQI3XdBrppwam/Y0EO179xK99m1BKs3ETj9nPbZZKJeyj3d
        EBiCf10kSEnBJ51awK7+Oe7c8qIdwsKB+DiyJo9grw==
X-Received: by 10.107.8.32 with SMTP id 32mr13516562ioi.136.1522797459759;
 Tue, 03 Apr 2018 16:17:39 -0700 (PDT)
MIME-Version: 1.0
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com> <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
In-Reply-To: <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Tue, 03 Apr 2018 23:17:29 +0000
Message-ID: <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     luto@kernel.org, David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>, jmorris@namei.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 4:08 PM Linus Torvalds
<torvalds@linux-foundation.org>
wrote:

> That's not the right approach to begin with, Matthew.  The onus is on
> *you* to explain why you tied them together, not on others to explain
> to you - over and over - that they have nothing to do with each other.

1) Secure Boot is intended to permit the construction of a boot chain that
only runs ring 0 code that the user considers trustworthy
2) Allowing arbitrary user code to run in ring 0 without affirmative
consent on the part of the user is therefore incompatible with the goals of
Secure Boot
3) This patchset provides a mechanism to alter the behaviour of the kernel
such that it is significantly more difficult for arbitrary user code to run
in ring 0 without affirmative user consent
4) Providing a mechanism for automatically enabling this behaviour when
running in a context that is intended to restrict access to ring 0 is a
rational thing to do, because otherwise it is difficult to achieve the
objective in (1)

Alternative approaches to achieve (1) rely on severely constraining
userland - ChromeOS, for instance, doesn't impose these restrictions at
present but also doesn't allow users to run arbitrary applications (you're
stuck inside either the Chrome or Android sandbox). So, if the goal is to
achieve (1) when the platform is in this state, what's a more reasonable
alternative?