Received: by 10.213.65.68 with SMTP id h4csp116616imn;
        Tue, 3 Apr 2018 16:49:33 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48N7nDs2m4Rks+IUYLSPNr3NZkeAPwEQaAV2Z6Z8CgydW1mbGsRVGQDHcCOxW3ycRgAob7A
X-Received: by 2002:a17:902:8d98:: with SMTP id v24-v6mr16138932plo.21.1522799373751;
        Tue, 03 Apr 2018 16:49:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522799373; cv=none;
        d=google.com; s=arc-20160816;
        b=ZUuzfhS3KRQ8xfBy4IDIyCZH6RPmhDiRwg6Zd4qibV9TRT1BLcqg1s4/76eC1FkYbo
         wNT1NoPd9HL8HaI8EY6sfWQIIhOtygJ6X/uQExTNMgIQA0n+9iROWBXCoszdgiHx/YgN
         5oS6SvzmhChiF4fBn/PbEw8PZlNmdTin/AAyULclquF6Ie+7/psgAlYuB8zJFjcs2zT4
         Nr5LRCjjOeb/tv/OmbKrnP+ksL0+gUQ7zY6KjwdQonpOWcwUUdqdqbXIWdL/ogtgFRc1
         LREWGpzKmZQEsjrJLiAQI2S713QjmfbhlP84+yo7KyniLWxN5tBmOA+ykZfkBlo+QKn6
         eAxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=S0M7Bz9BKsUy+VlfliP59GUdQysAog4IP7oV1I3Fj+4=;
        b=KFW5avhx17SLBSW2mD/IvEvj66XH8U67LlAylNDeJC320t86nF5iksZnnxCVB58As8
         T3FD+D3nwfpO89AyCSW/o9cbISzwGMNUongrPhtlB8rrSgpqb48+sMEzTIxZfe2CgcY3
         +Vc4fLMazaRIy7K6LRSH9+9sFKOk1b05nILoFqoNerB535RyDopehYls8KzVRueak0oe
         zypDu68tOzaDWTQrzDwGagzVDjgP1rhlWmaczKHTGSOP7AaQdklQRZakIyt81GeI9OkE
         qu+csLLWoeWEXEXy4xC8qdfa7xLvHN6Lwu/0T7a6AOnEKsT5SpD8J5MgvdsipVC/BtoL
         Yo9w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q1ArLlXf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v6si2691219pgc.526.2018.04.03.16.49.19;
        Tue, 03 Apr 2018 16:49:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=Q1ArLlXf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755015AbeDCXsH (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:48:07 -0400
Received: from mail-it0-f65.google.com ([209.85.214.65]:54292 "EHLO
        mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753356AbeDCXsE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:48:04 -0400
Received: by mail-it0-f65.google.com with SMTP id h143-v6so25650660ita.4
        for <linux-kernel@vger.kernel.org>; Tue, 03 Apr 2018 16:48:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=S0M7Bz9BKsUy+VlfliP59GUdQysAog4IP7oV1I3Fj+4=;
        b=Q1ArLlXf73AsBZZf1aotYAPGXoHDbo1Jzn9THs+7BQxpRLg2mU6H/vFHuVCwh2y/sD
         t1l1lu+VbSgDnLQWvqiJBn6508+WHdCLtAU/tJF9lUuAwu0Gl+XPKX4VM5cn012M5WnX
         7KQQ/O/x/VLGSYUZ7uG1XOYUZ/L2A+ocw8gYeK+RFQLnQWRi8tVg+P0WzelFU/eNKGja
         ydgu8NDCWBnudGOd82lOmjKizbCoR9m8inong6FCRpCF3VNRDkGKU4kGmA+vQ2W8w/7J
         z4+N+6jCPzlbbnI+WZ6HZvlfrSAe0/1l7QGGDSU10MoPFPg2t9Gu5QBHFZWwpcrXhmpu
         Z38g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=S0M7Bz9BKsUy+VlfliP59GUdQysAog4IP7oV1I3Fj+4=;
        b=nudZfkMD/RI5d4Ug4soB1x//QEhIQg/0qXZKUvxw6WrBGP5KuqcU73OTYnpY6h4jUS
         s/jozaUvMgwMYttipODrigx5hJsphDrURRxLlpCKgj6ko2No35r7GxgeQBqLbJRCiH7G
         IFcc0o4sFDllldfYB//Egqy/Tn9DGBjdpr5NPjAAxF+Ru71XTyY7vMgA+TU2s2PeVmPY
         jFR1fRyEhDfOpjxMlZjV+af/CKyVAHRlzyX5sFMkDTRA3S4gdPykK5o3aLP9we7Sfeem
         k492EYBPIDShx9DdVUVqHWDa0sghCmVQ7d1JmkY+2KuE/DasyhI22aGIGyaWsy4gINyH
         929A==
X-Gm-Message-State: ALQs6tBcqJE4qOqXOrwkQkRrhLpMYijf6FG1Jt1Ug0cxo9SFQt5n1H44
        uXfZl0R2HW1zxScMBh0dVmPgr5TRGafsRMzK5UYL5A==
X-Received: by 2002:a24:25cb:: with SMTP id g194-v6mr7365425itg.85.1522799283711;
 Tue, 03 Apr 2018 16:48:03 -0700 (PDT)
MIME-Version: 1.0
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com> <CA+55aFx9u-O81MwSq8zpb+MKaWYjYvtEcFu1NLP1_s63ED6_3Q@mail.gmail.com>
In-Reply-To: <CA+55aFx9u-O81MwSq8zpb+MKaWYjYvtEcFu1NLP1_s63ED6_3Q@mail.gmail.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Tue, 03 Apr 2018 23:47:53 +0000
Message-ID: <CACdnJutkO9dgz=HZpPRR9PZC=+cHh97dRUiGB+D3gruZr6U9Kg@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     luto@kernel.org, David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>, jmorris@namei.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 4:39 PM Linus Torvalds
<torvalds@linux-foundation.org>
wrote:

> On Tue, Apr 3, 2018 at 4:26 PM, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > Magically changing kernel behavior depending on some subtle and often
> > unintentional bootup behavior detail is completely idiotic.

> Another way of looking at this: if lockdown is a good idea to enable
> when you booted using secure boot, then why isn't it a good idea when
> you *didn't* boot using secure boot?

Because it's then trivial to circumvent and the restrictions aren't worth
the benefit.