Received: by 10.213.65.68 with SMTP id h4csp115357imn; Tue, 3 Apr 2018 16:47:25 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/vva+bpPPaHs9zFDOyf9s88SzFDmkWOA/ErXNSf85RN3wWLZBbG3dIC2S6RdH+992JV4iM X-Received: by 2002:a17:902:a981:: with SMTP id bh1-v6mr16507182plb.255.1522799245737; Tue, 03 Apr 2018 16:47:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522799245; cv=none; d=google.com; s=arc-20160816; b=AUWwqfe1BEMAUMt9frt1y9Up+vld4/Ttb2sS7M/q6prB8jKyzn2FlmFomM8Cq1BefB AQpuTtH/QP5Plu0YVRT90m8RSj5RFiroNxj/4pQj/QjRgF9CpmM2j8sLg86FuIIGRcG3 LZtBYRxZDEjBWqnUej73QYU7E+FOVdcHdhj6GkDSSFKx8gTNHlqIEK1d/PpHoqSq3oVZ 7fIYTvbwc6UrTddSw1TN+dpfrOJ+uGBw42GsuoadoPzGiglYSbvkMzsl3wY/BeQrKGAB 8cbdkn6A2i8reo9f/Pfe268dQcO2p7fOjTA6eD3GjM75NlZf3ZZQb9+U1bQFFRncGDcM IX/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=qgztwK+UEfoX1RU6IzLPE9EaTBSs8HVNe07Hvyqozl4=; b=ASyY9Y1vzDn8LNl07XBG75duF3iUGiTHymxLfFBh2iaSQT9n8fyjCP1+Ueva9ByH0g rij9vB+Ym4DPYX/g+TCzuENdXmYpPyJ4RtkYaAp3bo9YvxfMpXkyZp6KGEPqnUsbqBNd SLtd3M6/d3hVbGUX1WEl5YsTXGjFSA9UEJYcQrosFZZekh5GVOYN7iYzjQWPfiBa+LP/ zNTuOQrKTU3Cwyalq7xMo4KolLiAaqsoBwWAssPQlHYuyOj2oZtPPutEGSHrWB15cc2/ KBSfMoneQx8qvEaYh+xWyu6YT2FxdO/JkZMoQrHCgkI602DRc7cydf/3t7/wc99aPxYL 1zVw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iwlMqa6+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h10si2734039pgs.538.2018.04.03.16.47.11; Tue, 03 Apr 2018 16:47:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=iwlMqa6+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755345AbeDCXqF (ORCPT + 99 others); Tue, 3 Apr 2018 19:46:05 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:52507 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752813AbeDCXqC (ORCPT ); Tue, 3 Apr 2018 19:46:02 -0400 Received: by mail-it0-f66.google.com with SMTP id f6-v6so14443933ita.2 for ; Tue, 03 Apr 2018 16:46:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qgztwK+UEfoX1RU6IzLPE9EaTBSs8HVNe07Hvyqozl4=; b=iwlMqa6+Hqvq4S+WqwGlYapiDjBT6jia1/SZ3HBeJPo6vAuakzRDpBmGjL969tzMF3 6uzaDF6u2tQKYMOvgENbRnXDM+Hz3mYbZXoRnshwrj5e83GUiCuVZlcKAQB/QXeGsOYa w1h9i33HjfsLMPkEHuoOI9GtWiMyBhhUiAvs6A1bsHLkfZWyucSIUeyKKa+QS7NRdIBA ooGkOqYYnFIXhz7vZV8OFbG32Ral1YZVzkEwzFEpiaY9AuU15qmErA/f+WXsk4/cEdf1 AH6kWw85zCAEyNVAbNyC+IREMh2JRLnmdYEY7bWEP5quvqgCrIl/Sb2GEZ8bAgFX2jik MUXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qgztwK+UEfoX1RU6IzLPE9EaTBSs8HVNe07Hvyqozl4=; b=Jc13XBUx9MulF2TufnMWhqu7npIZuMeXimd15XuG73dmhQZu+4oS2WAyOyKLGCkRMw saBGlsDmHuGbCZaVcX1lwhIRpgmlcy7nEJXwzBhhJB0jXzwP93MufW2U/aKN9VfgQ4/O 8IV97L3kg36Ce2utsbcw21D++3+q0/JWzl8luZGCJHSbKpu3FRwIyZArUKuXwT4gJTjv BaV7Qf6T51f7OtMa0XIHbJedetep1HxudlgqnjciE+2JllXdk3gP9EoLc3p1+Xpeg4Qc 7ncL2uUtYSi4y1AWUBI8w2lTy24SwSELH4LAJ+YLKdEBJ2xkZmSBjT0evUl/vKJjFRWZ mi/Q== X-Gm-Message-State: ALQs6tDTSFsIkoO1htZbYaey/Gj6oV1FW13Owd9nzVqQNVIWXm9WtGTk 8qgvj5F28sLfPmkmr6H6ULUrAvnhotfC0vJJXrPTmA== X-Received: by 2002:a24:46cd:: with SMTP id j196-v6mr6879113itb.8.1522799161021; Tue, 03 Apr 2018 16:46:01 -0700 (PDT) MIME-Version: 1.0 References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> In-Reply-To: From: Matthew Garrett Date: Tue, 03 Apr 2018 23:45:50 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Linus Torvalds Cc: luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 4:26 PM Linus Torvalds wrote: > On Tue, Apr 3, 2018 at 4:17 PM, Matthew Garrett wrote: > > > > 1) Secure Boot is intended to permit the construction of a boot chain that > > only runs ring 0 code that the user considers trustworthy > No. > That may be *one* intention, for some people. > It's not an a-priori one for the actual user. Secure Boot is intended to *permit* that. Without Secure Boot you're unable to do that. Some users want that. Some users don't. > > 2) Allowing arbitrary user code to run in ring 0 without affirmative > > consent on the part of the user is therefore incompatible with the goals of > > Secure Boot > Again, that has absolutely zero relevance. > Those goals are not the *users* goals. > Be honest now. It wasn't generally users who clamored for it. If you ask a user whether they want a system that lets an attacker replace their kernel or one that doesn't, what do you think their answer is likely to be? > If the user actually wanted it, and is asking for it, he can enable > it. Independently of secure boot, which the user generally has little > control over. How? If the bootloader will boot kernels that don't impose this restriction then an attacker just replaces whatever's enabling that feature. And, uh, seriously, I've been asking for *years* for someone to point me at a PC on the market that doesn't give the user control over Secure Boot, but Shim was expressly designed to ensure that the user would have the ability to enroll additional trusted keys (or disable signature validation entirely), so which cases are you thinking of where the user doesn't have control? > > 3) This patchset provides a mechanism to alter the behaviour of the kernel > > such that it is significantly more difficult for arbitrary user code to run > > in ring 0 without affirmative user consent > That difficulty already exists, the new thing isn't somehow related to > that at all. > Look at our "uyou can only load modules if you're root" rules. Or the > "you can only load modules if they are signed". > See a pattern there? They don't magically enable themselves (or > disable themselves) depending on whether you booted with secure boot > or not. What's the benefit of "You can only load modules if they are signed" if root is able to just overwrite that policy bit in the kernel? The split between unprivileged users and root is real, but right now module signatures are theater - there's no significant security benefit from them. But the reason to tie this to Secure Boot is that without that an attacker who has root can just replace the kernel on disk (or patch the bootloader to live-patch the kernel on boot, and yes that's an attack we've seen in the real world), so while it's a feature that is arguably beneficial under all circumstances it's a feature that only has significant benefit if you have some way to actually validate what you're booting in the first place. > > 4) Providing a mechanism for automatically enabling this behaviour when > > running in a context that is intended to restrict access to ring 0 is a > > rational thing to do, because otherwise it is difficult to achieve the > > objective in (1) > No. See why it's *NOT* rational, as explained already several times. > Magically changing kernel behavior depending on some subtle and often > unintentional bootup behavior detail is completely idiotic. > It would be idiotic if it was that "check kernel module signatures" > check. This is no less idiotic. > Seriously, listen to your own arguments. If they don't make sense for > checking kernel module signatures, why the hell would they make sense > for something like lockdown. > THE TWO THINGS ARE ENTIRELY INDEPENDENT. Again, what is your proposed mechanism for ensuring that off the shelf systems can be configured in a way that makes this possible?