Received: by 10.213.65.68 with SMTP id h4csp111092imn; Tue, 3 Apr 2018 16:40:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/uMXnyfKGKeEfo1A5CCDfL0JHxM6CFG+z/od+EtSr7iqKrjNnO/4Fs6Tpj6DcRcpu+O01q X-Received: by 2002:a17:902:7295:: with SMTP id d21-v6mr15813523pll.130.1522798834513; Tue, 03 Apr 2018 16:40:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522798834; cv=none; d=google.com; s=arc-20160816; b=ZpdxNtHQ6Gct+P1wr2XbueXoGtiFou7AD19JBaTZYZU0rGwvkBfL3oOhHkEP7ocy8g pQGvPE86WC8mzdhTlH1Lxa7sbk8I8JB/SxcC0k61HGpVloFYImD2zqHhChTeZZfrswkW OyO3MDQZd1fCBQQG9u9euG0/ixr04v0xZfhhJB2iMiWE9N2RJA+rcW4nbIsp0oDtoN0G ST3uP/VVYmVKSmDVPVKyRb+40leGMsd8MFMtyem1fGq+PuJoxOZu5ju2xioPTfDcqUY+ vxswU5M9JJ8FocogiyDk0Fd/ldE35dK+4PJhIcBARku0aPGwicZlwlXUTC5in4bpQqfL Qh/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=4dD2XmTrJIFUMEG6Lh8OrfTXR72gcKZnmhuk6kw4Aww=; b=jQAyslsKlBS9WTg90WUz2oOaRaqGHoi1pEAbtGkBeWTZGYQl6nCVjQObJlOPjqP+qK HHzCS27mk+CJH8kx8wtDOEaHVBBGS3NagbYMfTy2YSzvZYc9eSzsUfpQOVV79nG5w0Gs jRyR9fA0owk6vB+AKSR4d3Ndcy5NPYvHGugKKs90sgyZjKxjLFFxyFfv4RM92+J+lQ1L QXwOYMszdq/IekdzQDmKrowetR33/nNN2SxjhUVINCUJsHssM7kYKkSIp0IWHw56w6ED +9x3oTWPOvaPibu3QWA6Y/ud/yfrzqxkvRaAadzV+kyTPE4BJmhOUHNKSUNvm0gY5uGy QPtw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u20si265067pgv.12.2018.04.03.16.40.20; Tue, 03 Apr 2018 16:40:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755125AbeDCXjN (ORCPT + 99 others); Tue, 3 Apr 2018 19:39:13 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:48510 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754169AbeDCXjJ (ORCPT ); Tue, 3 Apr 2018 19:39:09 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 88A3A4067EF0; Tue, 3 Apr 2018 23:39:08 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-158.rdu2.redhat.com [10.10.120.158]) by smtp.corp.redhat.com (Postfix) with ESMTP id DAF3E202698A; Tue, 3 Apr 2018 23:39:05 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> To: Linus Torvalds Cc: dhowells@redhat.com, Andy Lutomirski , Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <10717.1522798745.1@warthog.procyon.org.uk> Date: Wed, 04 Apr 2018 00:39:05 +0100 Message-ID: <10718.1522798745@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 23:39:08 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 03 Apr 2018 23:39:08 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Linus Torvalds wrote: > The same thing is true of some lockdown patch. Maybe it's a good thing > in general. But whether it's a good thing is _entirely_ independent of > any secure boot issue. I can see using secure boot without it, but I > can very much also see using lockdown without secure boot. > > The two things are simply entirely orthogonal. They have _zero_ > overlap. I'm not seeing why they'd be linked at all in any way. I'm not sure I agree. Here's my reasoning: (1) Lockdown mode really needs to activated during kernel boot, before userspace has a chance to run, otherwise there's a window of opportunity in which the kernel *isn't* locked down. (2) If the kernel isn't booted in secure boot mode, then there's the opportunity to tamper before the kernel even starts booting. (3) There doesn't seem any point in booting in secure boot mode if you don't protect the running kernel image against tampering. What does it mean to be in "secure boot mode" in that case? If the kernel can be tampered with, it would seem to be, by definition, insecure. (4) You can't validly promise the next OS you kexec that *it* is started in secure boot mode if you don't stop your image from being tampered with. Note that this doesn't prevent a compromised kernel from lying to the next OS. (5) Tampering with a running kernel can be achieved in a variety of ways: loading of arbitrary modules, loading of modified firmware, direct access to devices that can effect DMA, writing to /dev/mem, ... (6) We need to be able to load modules and firmware, but these can be signed, hashed or measured so we have some idea of their provenance - but signing can be worked around if, say, /dev/mem is writable. (7) If you told the BIOS[*] that you want to be in secure boot mode, then the kernel should honour that and try to prevent tampering with the image. (8) Turning lockdown mode on if the kernel is booted in secure boot seems to be the way to achieve this. (9) BIOS vendors can blacklist any of the components - say the SHIM - to prevent an insecure kernel from being used to compromise and kexec another OS. Note that I've provided a kernel command line parameter that will turn lockdown mode on arbitrarily - but that can be turned off by editing the parameters in grub.cfg, say. David [*] Yeah, I know, this is an x86-centric view.