Received: by 10.213.65.68 with SMTP id h4csp105138imn; Tue, 3 Apr 2018 16:31:28 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/v/e7sSRDuNQt/M4XzLpunkTERXvCxslIfbjy0LVG72CjRyBqu7Dvcw0JJZsmRuouYFh63 X-Received: by 10.101.93.78 with SMTP id e14mr10151348pgt.84.1522798288623; Tue, 03 Apr 2018 16:31:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522798288; cv=none; d=google.com; s=arc-20160816; b=J8WwqOU3u1M3k0tk65vDjmgqQVRlvvm0hFSaNRTIfZt2zpVBIaQ3CM8kY3+GiCYbB/ 3SfZeTyWa/j5HrzwyI3Xbqdjq3NOfPqUgvRnOprZBH3eOFMgX/TANp5194uHYk10nDNu FrmO64nQNCOHMRzOd/WB1wOhNDSIEZpN2o/MUbxxuXMJm64tthcpV/ScRJic0pO+cPK/ GdwHQZ0DeSNdHExbyniQuSQuknECLH7FjloQNRqyWMmsYr3OMEgRpyDHMUPU50Dmyknf djFH0sVojfO9PP0W8S78UjtqrMaW15oZ73Wwnin+LF8LHbmBzrdg4rsPRVsSxfV2VTky UhLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=; b=xWxzL5eMBlwnyYyr+wzvZivpynpt5IcWl9B5xCV3GwTpWw6vf1Hxt8yyoWEvHk54wj 6jnB7mEukcKEjC6Dz5Xnxs3xoGN0poL1LxF3NwRAH8kPUI6PfgRBAbzxUT1IvNTMAb+A ZPJPDdDR1ZPnFzj8I7q4/y0prIF7cNoIVuTCZqii+17xp9rjM9ajtNna7tX6k7y5O7ux Cqd5AAbUFKVGTt0Dzs90z30vGudywpako95lNV9m7z4ILspwTwqJX95zA3AHNs8RHohC rjU16LFbUq/SkPfXpbLpx2koCt86AQ0qrWv2sGY04QcWSo5COILQtwRhO9KNaEbs7554 kU+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=DohRjtmh; dkim=fail header.i=@linux-foundation.org header.s=google header.b=AvEteLw5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p1-v6si1607959plb.745.2018.04.03.16.31.14; Tue, 03 Apr 2018 16:31:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=DohRjtmh; dkim=fail header.i=@linux-foundation.org header.s=google header.b=AvEteLw5; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754292AbeDCX0m (ORCPT + 99 others); Tue, 3 Apr 2018 19:26:42 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:55979 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753630AbeDCX0h (ORCPT ); Tue, 3 Apr 2018 19:26:37 -0400 Received: by mail-it0-f66.google.com with SMTP id 142-v6so25573032itl.5; Tue, 03 Apr 2018 16:26:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=; b=DohRjtmhzxYpU1+7I4CYZ3fjOXACngEhSAUj0TFyhMYnMWvoN426Ql3Ocr8cyqVLKz jI/R1yCqk/3uicIS9n/7BcdfV16hvk3Px2ZQjNpv3BEpyRHDvPnfSC6JqzTM0t2fhVaX XMrBOz1imAFckVmJrJS5G7P1/l7leWzPWRBUq438dJ872J8O6xwVWWLNn/Sf0lylkc5T j6nlTisNDSHSS1k+nWwar/7I8ZgaSb6sFZoisHIOmrafiaFrL9aP5PiO4ApHm+wPWGR+ r6lfb98P60KdyUj+i0OWLr03Dk2DSbMRPi2+q8qYuqCiyzUneAie1tPcMC48EuOih0TR JVfQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=; b=AvEteLw5Fumnbsn3qg0KqCRva68e3yNDg2ZdEq+hkn1bX3TsgC4laZd+zJI9us4Yme yt3JyIPaqWdFKLWQ6EOn4fTmkaYijxYRIWsB8b9jyDtt58AUyv+G0e2d0STwvkgULDwG wZEfVL8mPgTa9BhZSCRxG4pUpnNgLyywzFoqU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=; b=TurnXNvBcfXcqz0CSF8xJjlXDjAlnZteJxhe1/zD5MCzhT3xtoCfgXlt+95WoiALaQ i9HVVbPFcz0/Xr5XjSVlvDWRvN2QP0HjkK/V/mxVlivoG+RUp4exy0CUkYQN4gWJjAhJ HmnhFelZwGGCOSCREQYmF1l1XAZBpJb9MQrfxLkO3ed721+sZsVo84TfHnCq5aRm/qaa VbiVlI3RBX37UJblpwVKjPD03M7RgjR0nVSvYb/KacrjNOe29owS1tV7B9ye8Lh4Zkud tjB8NrcM63KDGZsoGHPe0Dgm64v89mKqGMmlcSJg6TSNL7Muv4PdlN2xc84DdQLksqI7 iS4Q== X-Gm-Message-State: ALQs6tDnZtbGk4X8QOxrLSBxJkAshp3pnmJlXWYLBvsn6Sz7A20BF5nu oFy6mOLQ2dTX1xrkc4p2Zg3qP3CX6bPaDN+CPyM= X-Received: by 2002:a24:5852:: with SMTP id f79-v6mr7331548itb.108.1522797996627; Tue, 03 Apr 2018 16:26:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:26:36 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Linus Torvalds Date: Tue, 3 Apr 2018 16:26:36 -0700 X-Google-Sender-Auth: vkz5STVF3MWBjoVOfISfa3rkUD0 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Andrew Lutomirski , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 4:17 PM, Matthew Garrett wrote: > > 1) Secure Boot is intended to permit the construction of a boot chain that > only runs ring 0 code that the user considers trustworthy No. That may be *one* intention, for some people. It's not an a-priori one for the actual user. > 2) Allowing arbitrary user code to run in ring 0 without affirmative > consent on the part of the user is therefore incompatible with the goals of > Secure Boot Again, that has absolutely zero relevance. Those goals are not the *users* goals. Be honest now. It wasn't generally users who clamored for it. If the user actually wanted it, and is asking for it, he can enable it. Independently of secure boot, which the user generally has little control over. > 3) This patchset provides a mechanism to alter the behaviour of the kernel > such that it is significantly more difficult for arbitrary user code to run > in ring 0 without affirmative user consent That difficulty already exists, the new thing isn't somehow related to that at all. Look at our "uyou can only load modules if you're root" rules. Or the "you can only load modules if they are signed". See a pattern there? They don't magically enable themselves (or disable themselves) depending on whether you booted with secure boot or not. Yet they are a HELL OF A LOT MORE IMPORTANT than this new patch series. > 4) Providing a mechanism for automatically enabling this behaviour when > running in a context that is intended to restrict access to ring 0 is a > rational thing to do, because otherwise it is difficult to achieve the > objective in (1) No. See why it's *NOT* rational, as explained already several times. Magically changing kernel behavior depending on some subtle and often unintentional bootup behavior detail is completely idiotic. It would be idiotic if it was that "check kernel module signatures" check. This is no less idiotic. Seriously, listen to your own arguments. If they don't make sense for checking kernel module signatures, why the hell would they make sense for something like lockdown. THE TWO THINGS ARE ENTIRELY INDEPENDENT. I'm done with you. You're not listening, and you're repeating bogus arguments that make no sense. No way in hell will I merge anything like this. Linus