Received: by 10.213.65.68 with SMTP id h4csp102341imn; Tue, 3 Apr 2018 16:27:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx497nMyJwAJRnumHRSWtmolXMZgIuWtLlDaUzqMqjUtxIWm96F9nmVSZl0PB8i3pbdoKoqPE X-Received: by 10.99.128.67 with SMTP id j64mr10127749pgd.55.1522798054689; Tue, 03 Apr 2018 16:27:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522798054; cv=none; d=google.com; s=arc-20160816; b=gzVH0Wx302x+GYknuLr+rAUsrAUU/xcGI/DZV48F6K1/s+EPcKvfDA6cjXxQF/Oubs V4QP/pfhKjoBk2KkWJTuBh4Lwiv9owYKryZVcCrYz7LqXW0sYoruL55N86wAzAT3J35V +QXt1x0O0+G2RFWXE3eD/npVGzhxtfSFn0eBKgwvsAK7yekEpIRe6phpZuAZu/KsFtDf nk/K5L2A/WvlU5iOL2lAToW1/vrsfmbFtpyYdSG5S8M0YI2QqMPed5eMO3qWjQXs+Omk zZ4VxZqox9d1SMxAopb78WtXwNnhr+o5mnub++epZ5ZMjIzyDjVCbEA8xasAER8rXHKX OVuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=lP6le2Ozz8iGANVSxevOrOz6wyHnUmpNsMkmevNfTqA=; b=w6xFe83XFvFbxgCi7f6PKtq4lrLUp4dnFJwqyO4JNubG2er9R/ZnEp5mKPKM1UsxHm 94M8IhW5hog5REWXnuvQmwiYOehHOkZlPdB/4l6uavHGKzDHediy7hCWckXM4oDbPBFP MlNDwtKHaSR9hkF+eBhShZonauwXw40B8rwFnBnXwu02IH9jiQ3twW2fVaU/K6iJdwBZ kHxaRbbOrY5VOWUGc3gva7tC5rk7WMrITZR7drDFIYbjBafHTjZttgmooNU7v4rQHOCN MrYzchAk1AZjNKAdKkLucPXMJBhCD4p6uNrZ/Vjd5SQ3PU6vWPFqgeCkFvt5EjbfOpdg HL/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 11-v6si1673317plb.658.2018.04.03.16.27.20; Tue, 03 Apr 2018 16:27:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755937AbeDCWji (ORCPT + 99 others); Tue, 3 Apr 2018 18:39:38 -0400 Received: from mail.kernel.org ([198.145.29.99]:51042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754916AbeDCWjf (ORCPT ); Tue, 3 Apr 2018 18:39:35 -0400 Received: from mail-it0-f51.google.com (mail-it0-f51.google.com [209.85.214.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2095621836 for ; Tue, 3 Apr 2018 22:39:35 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 2095621836 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f51.google.com with SMTP id b5-v6so14676376itj.1 for ; Tue, 03 Apr 2018 15:39:35 -0700 (PDT) X-Gm-Message-State: ALQs6tBWUC0SHKARBhpIqXBS9o1GM6MEEVq38znP+NSVmS17Ij1I7iKP VLV8KcJJd7++PJ7oZUkPV9ZfAY6e+HqcHBxfQd7H3w== X-Received: by 2002:a24:c2c7:: with SMTP id i190-v6mr3196330itg.146.1522795174476; Tue, 03 Apr 2018 15:39:34 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Tue, 3 Apr 2018 15:39:14 -0700 (PDT) In-Reply-To: <9349.1522794769@warthog.procyon.org.uk> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Andy Lutomirski Date: Tue, 3 Apr 2018 15:39:14 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: David Howells Cc: Andy Lutomirski , Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 3:32 PM, David Howells wrote: > Andy Lutomirski wrote: > >> > If the user can arbitrarily modify the running kernel image, you cannot >> > trust anything. You cannot determine the trustworthiness of something >> > because your basis for determining that trust can be compromised. >> >> I'm having a very, very hard time coming up with a scenario where I >> can "trust" something if an attacker can get root but can't modify the >> running kernel image but I can't "trust" something if the attacker >> can't. > > Eh? If the attacker can't what? Did you mean to put "can" at the end of that > rather than "can't"? I don't see why the kernel-level trust would be > compromised if an attacker can't get root and can't modify the running kernel > image. Whoops, yes. > > Here's a simple scenario: You boot your machine. You have module verification > keys in your kernel. You have /dev/mem available for root to read/write. A > program running as root can modify the keys in your kernel or just disable the > checking code entirely. It can now insmod any module it likes. You may as > well not bother with signed modules. In fact, it can modify the running > kernel image in any way it likes, without even having to load modules. I don't particularly disagree with any of this, but you seem to be saying "if you've bought into the party line wrt signed modules, you had better enable lockdown, too". I *don't* buy into the party line about why signed modules should be needed for Secure Boot. > There's no point bothering with UID/GID checking either. Give me a break. There's a *huge* difference between a system where only root can load unsigned modules and a system where anyone can load unsigned modules. > >> > Stopping the kernel from being arbitrarily read stops any encryption keys it >> > may be using from being retrieved. >> >> If I build a server that runs Panera Bread 2.0's website, and the >> attacker exploits my machine to steal tens of millions of customer >> records by getting the machine to talk to some database server using >> keys that are securely stored in the kernel keyring, ... > > I was thinking more in terms of preventing access to the encrypted data on > your own disk. The key for that could be unlocked using a TPM, but the > session key then has to be retained in RAM for performance reasons unless you > can transfer the session key to, say, your SATA controller without it going > through the CPU. > > However, if /dev/mem can be read, any root process can extract the session key > for your disk. Any root process can read /dev/mapper/plaintext_disk, lockdown or otherwise. > > But, as you suggest, they could also protect secrets used in communications. > However, the communications themselves have to be exposed to userspace for > userspace to be able to use them. That is unavoidable. The kernel keyring, > for example, tries to restrict who can even see a key, much less use it as > much as possible - but ptrace() exists... You are no less vulnerable if the > key is held in a userspace process; then the attacker can get the key and the > data. > > If the kernel is locked down, the aim is to try and make sure that keys > stashed in the kernel cannot be read, though they have to be able to be used, > or there's no point to them. Sure. I have no problem with having an upstream kernel have a lockdown feature, although I think that feature should distinguish between reads and writes. But I don't think the upstream kernel should apply a patch that ties any of this to Secure Boot without a genuine technical reason why it makes sense.