Received: by 10.213.65.68 with SMTP id h4csp105009imn;
        Tue, 3 Apr 2018 16:31:19 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48qeb5zRngXhWNmI7AYEg5C87N1E2fOZAJJx4FJcnt/w7h3IJEEpvht6Q1JRuIIIBlMpfyN
X-Received: by 10.99.121.131 with SMTP id u125mr10618915pgc.48.1522798279335;
        Tue, 03 Apr 2018 16:31:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522798279; cv=none;
        d=google.com; s=arc-20160816;
        b=YlWRdQ4i0gzOI0XvFYGALu0cal69YKRbc41KTt3IGSa0whGwMYJzetXBmKI538e8Cx
         LuBIo2v8EGyDDwjMM/IrnjLH+2pRAwfb5Sa+bZ4Nzbe1eijkZ1grAybgMXxQLse8HSat
         MpTxmgUEs8K21uboq+uXgUGS7239BAc8RvugW49VytuEyPjL9zjr09q2p3MzDgm/boK8
         Dm4oyyLMeLQbHYfEjrKX3+INY70LTh3MET08+FB5FkLwKYTbRRJ6fptXjUS4Mpgv6e4d
         hGNfCRWQwubqHlGFBpCAj8e9t1Ww7gx12r0oTMkYTZPtfhbAuyQ5EOG+AVuKnPyAIfJL
         s+RA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=KW5f6PALwdxZFGGhaNM6VSM5Z0UDpPXV1+zdTonPb8M=;
        b=TLl8D6NvQXDaPRORDpkwmKCPFTOu8FP3dxia+g+VohiQPd+75aw4BjzQoFBrry2k6A
         6l28LBZjcimqInqSGO+G0Vhyq6l/Q7jWQNoZxJOKSFpwRUTaO4cSieW1esIfqJvi4Mns
         Y8SQFVxD4HXveUIL9S0Q9CpefqXi0GXRpS51YY4mdxzwN3p/Q26JA0bzpOHzBz5kZQ/O
         3n4voOYLzljA0h5OWfi8FVLCoy9A6UhVZ4Sl+65iFIQ3xaYyZjDk76QRZtjNXSv0UasG
         ripwy1tBZ+3hB+Nd3YKI/U4Tq+fiQ7o83re21xkaKMeGCK8yZD3mKKI5LTyg11Wka+7x
         HlEw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=hrFNTr9I;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=ETX4cR7K;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f34-v6si1713150plf.362.2018.04.03.16.31.05;
        Tue, 03 Apr 2018 16:31:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=hrFNTr9I;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=ETX4cR7K;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755898AbeDCXIs (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:08:48 -0400
Received: from mail-io0-f181.google.com ([209.85.223.181]:36467 "EHLO
        mail-io0-f181.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755805AbeDCXIp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:08:45 -0400
Received: by mail-io0-f181.google.com with SMTP id o4so24030350iod.3;
        Tue, 03 Apr 2018 16:08:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=KW5f6PALwdxZFGGhaNM6VSM5Z0UDpPXV1+zdTonPb8M=;
        b=hrFNTr9IF4NVBnY5MIB+oYoXVWP6HZaCM2LVVB01L6oLUfNR3qnAx0deYHAOuKaxpl
         7dY7/Nukcwq1Oe5IEABMvH41u/7Clss6waWG+0yzlKuxXmuMhfq+IvTRGT/AAHq2rILj
         oax7cpfU+IGCAXrcyZCCCXEnLJ9LUihhshMuu4tDdJx4bVMsxEqBT0t6GYFys7kjS2Zk
         kpW0ZJwdG1Zbp5+pwgBX3MQ8lT+rLwcgrq2EluHh9Z6l9AjzwXCreM5/rwj89Ne3fnXs
         u6m5OyFCrGIImFK+Ys3iC7AgLcztz4MzE/UEUDlxGjtfU4Zef0KS9Klzr/E3S+1oHPQY
         k7Jw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=KW5f6PALwdxZFGGhaNM6VSM5Z0UDpPXV1+zdTonPb8M=;
        b=ETX4cR7K8UWBuZPsZz5Dkz6rRon2Z9Ab1Is5Pj2cG7xz3JR0IumdDuVd/ZfUKQHTA/
         77RHRGFLDGgdre+Q5FQ5EIpNnxdxO71vrxYYREek/i0S8Zev9Y2ejEMA5ZPV7lBang+7
         ZYJbvNl7+7wo8xrQ95AaowiC+heRuoXtxjNGU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=KW5f6PALwdxZFGGhaNM6VSM5Z0UDpPXV1+zdTonPb8M=;
        b=nR+1xL/O83zJ0uKTuhNuEYOfdstUQH03GjbO2owwOotyxGNLFZlYuzMUcAhV2bPs8t
         rCy3joPyf6WDhAVitmzWlaA/zbM4I8hWlIDlvUmvmCWDSj4jIJBAe6U5IzH565MgU6Fq
         12LTvCzGr5lO+kCGQABRrkJ96xSMZ2SjrqIslv+WGJ+eH25bW2noV0n6ArxEgGLpF+tE
         BGV+JuMIqNwu5oZCA/XG2b0nrCgit8fejXPVZNP2Ld5FKWX+VizteriMdVE6JEZEp1aE
         FiQdtJAk9AmWCeq/2p23yNY3VC/S47XTn9RRw33SV/iQVV0nlRq2BYgxisHE4DVqO1nl
         +Qfw==
X-Gm-Message-State: ALQs6tDLcQGZDh66CfGBBjx8EHQOA1VSW6X/kQkreRH78oQi7nAx670a
        1xlH68CsIrv7u3x20D53gfMKF5bCx4w5ogevyVI=
X-Received: by 10.107.12.201 with SMTP id 70mr14358241iom.48.1522796924246;
 Tue, 03 Apr 2018 16:08:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:08:43 -0700 (PDT)
In-Reply-To: <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com> <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 16:08:43 -0700
X-Google-Sender-Auth: qXbLsW-NHBoZb_fMSXmNihqY504
Message-ID: <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 3:51 PM, Matthew Garrett <mjg59@google.com> wrote:
>
> Lockdown is clearly useful without Secure Boot (and I intend to deploy it
> that way for various things), but I still don't understand why you feel
> that the common case of booting a kernel from a boot chain that's widely
> trusted derives no benefit from it being harder to subvert that kernel into
> subverting that boot chain.

It has NOTHING TO DO WITH "HARDER TO SUBVERT".

THE TWO FEATURES HAVE NOTHING TO DO WITH EACH OTHER WHAT-SO-EVER.

I do not want my kernel to act differently depending on some really
esoteric detail in how it was booted. That is fundamentally wrong.

Is that really so hard to understand?

Look at it this way: maybe lockdown breaks some application because
that app does something odd. I get a report of that happening, and it
so happens that the reporter is running the same distro I am, so I try
it with his exact kernel configuration, and it works for me.

It is *entirely* non-obvious that the reporter happened to run a
distro kernel that had secure boot enabled, and I obviously do not.

See what the problem is? Tying these things magically together IS A BAD IDEA.

And when people ask you why you did it, YOU HAVE YET TO COME UP WITH A
SINGLE ACTUAL RESPONSE.

Instead, you just ask people why they care, or tell people to not enable it.

Seriously, Matthew, it's WRONG to tie things together in magic ways
when they have nothing what-so-ever to do with each other.

So no. The answer is simply "don't tie the two things together".

And dammit, if you tie them together, you had damn well have a good
reason. So far, your reasons have _literally_ been "Why not?" and
tried to make the onus be on others to explain to you why not.

That's not the right approach to begin with, Matthew.  The onus is on
*you* to explain why you tied them together, not on others to explain
to you - over and over - that they have nothing to do with each other.

This discussion is over until you give an actual honest-to-goodness
reason for why you tied the two features together. No more "Why not?"
crap.

                 Linus