Received: by 10.213.65.68 with SMTP id h4csp105138imn;
        Tue, 3 Apr 2018 16:31:28 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/v/e7sSRDuNQt/M4XzLpunkTERXvCxslIfbjy0LVG72CjRyBqu7Dvcw0JJZsmRuouYFh63
X-Received: by 10.101.93.78 with SMTP id e14mr10151348pgt.84.1522798288623;
        Tue, 03 Apr 2018 16:31:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522798288; cv=none;
        d=google.com; s=arc-20160816;
        b=J8WwqOU3u1M3k0tk65vDjmgqQVRlvvm0hFSaNRTIfZt2zpVBIaQ3CM8kY3+GiCYbB/
         3SfZeTyWa/j5HrzwyI3Xbqdjq3NOfPqUgvRnOprZBH3eOFMgX/TANp5194uHYk10nDNu
         FrmO64nQNCOHMRzOd/WB1wOhNDSIEZpN2o/MUbxxuXMJm64tthcpV/ScRJic0pO+cPK/
         GdwHQZ0DeSNdHExbyniQuSQuknECLH7FjloQNRqyWMmsYr3OMEgRpyDHMUPU50Dmyknf
         djFH0sVojfO9PP0W8S78UjtqrMaW15oZ73Wwnin+LF8LHbmBzrdg4rsPRVsSxfV2VTky
         UhLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=;
        b=xWxzL5eMBlwnyYyr+wzvZivpynpt5IcWl9B5xCV3GwTpWw6vf1Hxt8yyoWEvHk54wj
         6jnB7mEukcKEjC6Dz5Xnxs3xoGN0poL1LxF3NwRAH8kPUI6PfgRBAbzxUT1IvNTMAb+A
         ZPJPDdDR1ZPnFzj8I7q4/y0prIF7cNoIVuTCZqii+17xp9rjM9ajtNna7tX6k7y5O7ux
         Cqd5AAbUFKVGTt0Dzs90z30vGudywpako95lNV9m7z4ILspwTwqJX95zA3AHNs8RHohC
         rjU16LFbUq/SkPfXpbLpx2koCt86AQ0qrWv2sGY04QcWSo5COILQtwRhO9KNaEbs7554
         kU+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=DohRjtmh;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=AvEteLw5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p1-v6si1607959plb.745.2018.04.03.16.31.14;
        Tue, 03 Apr 2018 16:31:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=DohRjtmh;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=AvEteLw5;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754292AbeDCX0m (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:26:42 -0400
Received: from mail-it0-f66.google.com ([209.85.214.66]:55979 "EHLO
        mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753630AbeDCX0h (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:26:37 -0400
Received: by mail-it0-f66.google.com with SMTP id 142-v6so25573032itl.5;
        Tue, 03 Apr 2018 16:26:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=;
        b=DohRjtmhzxYpU1+7I4CYZ3fjOXACngEhSAUj0TFyhMYnMWvoN426Ql3Ocr8cyqVLKz
         jI/R1yCqk/3uicIS9n/7BcdfV16hvk3Px2ZQjNpv3BEpyRHDvPnfSC6JqzTM0t2fhVaX
         XMrBOz1imAFckVmJrJS5G7P1/l7leWzPWRBUq438dJ872J8O6xwVWWLNn/Sf0lylkc5T
         j6nlTisNDSHSS1k+nWwar/7I8ZgaSb6sFZoisHIOmrafiaFrL9aP5PiO4ApHm+wPWGR+
         r6lfb98P60KdyUj+i0OWLr03Dk2DSbMRPi2+q8qYuqCiyzUneAie1tPcMC48EuOih0TR
         JVfQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=;
        b=AvEteLw5Fumnbsn3qg0KqCRva68e3yNDg2ZdEq+hkn1bX3TsgC4laZd+zJI9us4Yme
         yt3JyIPaqWdFKLWQ6EOn4fTmkaYijxYRIWsB8b9jyDtt58AUyv+G0e2d0STwvkgULDwG
         wZEfVL8mPgTa9BhZSCRxG4pUpnNgLyywzFoqU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=f++NiBUzzzexwKKlV8SWxMDzGpHX8lLdvYXRquTnBFI=;
        b=TurnXNvBcfXcqz0CSF8xJjlXDjAlnZteJxhe1/zD5MCzhT3xtoCfgXlt+95WoiALaQ
         i9HVVbPFcz0/Xr5XjSVlvDWRvN2QP0HjkK/V/mxVlivoG+RUp4exy0CUkYQN4gWJjAhJ
         HmnhFelZwGGCOSCREQYmF1l1XAZBpJb9MQrfxLkO3ed721+sZsVo84TfHnCq5aRm/qaa
         VbiVlI3RBX37UJblpwVKjPD03M7RgjR0nVSvYb/KacrjNOe29owS1tV7B9ye8Lh4Zkud
         tjB8NrcM63KDGZsoGHPe0Dgm64v89mKqGMmlcSJg6TSNL7Muv4PdlN2xc84DdQLksqI7
         iS4Q==
X-Gm-Message-State: ALQs6tDnZtbGk4X8QOxrLSBxJkAshp3pnmJlXWYLBvsn6Sz7A20BF5nu
        oFy6mOLQ2dTX1xrkc4p2Zg3qP3CX6bPaDN+CPyM=
X-Received: by 2002:a24:5852:: with SMTP id f79-v6mr7331548itb.108.1522797996627;
 Tue, 03 Apr 2018 16:26:36 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:26:36 -0700 (PDT)
In-Reply-To: <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com> <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 16:26:36 -0700
X-Google-Sender-Auth: vkz5STVF3MWBjoVOfISfa3rkUD0
Message-ID: <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 4:17 PM, Matthew Garrett <mjg59@google.com> wrote:
>
> 1) Secure Boot is intended to permit the construction of a boot chain that
> only runs ring 0 code that the user considers trustworthy

No.

That may be *one* intention, for some people.

It's not an a-priori one for the actual user.

> 2) Allowing arbitrary user code to run in ring 0 without affirmative
> consent on the part of the user is therefore incompatible with the goals of
> Secure Boot

Again, that has absolutely zero relevance.

Those goals are not the *users* goals.

Be honest now. It wasn't generally users who clamored for it.

If the user actually wanted it, and is asking for it, he can enable
it. Independently of secure boot, which the user generally has little
control over.

> 3) This patchset provides a mechanism to alter the behaviour of the kernel
> such that it is significantly more difficult for arbitrary user code to run
> in ring 0 without affirmative user consent

That difficulty already exists, the new thing isn't somehow related to
that at all.

Look at our "uyou can only load modules if you're root" rules. Or the
"you can only load modules if they are signed".

See a pattern there? They don't magically enable themselves (or
disable themselves) depending on whether you booted with secure boot
or not.

Yet they are a HELL OF A LOT MORE IMPORTANT than this new patch series.

> 4) Providing a mechanism for automatically enabling this behaviour when
> running in a context that is intended to restrict access to ring 0 is a
> rational thing to do, because otherwise it is difficult to achieve the
> objective in (1)

No. See why it's *NOT* rational, as explained already several times.

Magically changing kernel behavior depending on some subtle and often
unintentional bootup behavior detail is completely idiotic.

It would be idiotic if it was that "check kernel module signatures"
check. This is no less idiotic.

Seriously, listen to your own arguments. If they don't make sense for
checking kernel module signatures, why the hell would they make sense
for something like lockdown.

THE TWO THINGS ARE ENTIRELY INDEPENDENT.

I'm done with you. You're not listening, and you're repeating bogus
arguments that make no sense.

No way in hell will I merge anything like this.

                Linus