Received: by 10.213.65.68 with SMTP id h4csp121705imn; Tue, 3 Apr 2018 16:57:28 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+B65z6u5GDG1x+aFeO0qo/ZXdbJF4C24AEHjRth8ejbuFJmNvnnqTGaszOhilOhk9Qmr5K X-Received: by 2002:a17:902:1681:: with SMTP id h1-v6mr8165973plh.145.1522799847985; Tue, 03 Apr 2018 16:57:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522799847; cv=none; d=google.com; s=arc-20160816; b=qQDo3VTJgxWe1g01zSgQ2D3b2jbEOvtxry3vll2csXdrlzNGmSmdajmeK+Ozhvoo21 KEZ3/+JgWJUooY7AYAHGxpMY7juIra9bkvudma+Tp8TSkyqrpcAD4Zy2BRQvI0zsS8Xy r8iafePyXm5kl7Wt5Fh3kVkAdpLZQf8UBxKuxynhgp8O712POCOHuZ8sW97slEy5VKY+ YDJHGsY/+m+jpgVyuafxASJNFZ2z2i/d9BPblK4UFaiLE8H6KuKiOcv5cJIKJ4q/Gg06 khTWfy2agWmvSL1ubhdW/HC+FeaCT5xRDD6FK4syupFLlBeWi1fOoPOZYXvU5Pi4ekno 1FMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=; b=SrFzF9EQVJs7SAxqbTwTyepFWlLrgd1w071SurUStD5aLcQzBI4hj2rOk+VM5MOXpX t0NxM2/rQp9vymIv3EcUyR7/k187h2u8MgBNHxzoycCelafkQmffF6oJFA57log6eauk 8c4gRXrRHNORei9boVW5qn/S0rDq6trAeLyj5w+GUT/Ckuukq7BxUfESlApJqL1NXtYx H3tdojrsorpYiA2UafcimwGKaZTeZms7JQWa0kPEZmidNl3hsLTDctW2LixCo9r2TKwM FB3sVfVQvcAnGWTXrjWPKrsiUzDxeD3lGPN5t1FuNDeusNgbRUnL9z7P6EA4f6v8TyXd j8Sw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NqaaFZCS; dkim=fail header.i=@linux-foundation.org header.s=google header.b=Zt2XR1D/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31-v6si4019000plj.703.2018.04.03.16.57.12; Tue, 03 Apr 2018 16:57:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=NqaaFZCS; dkim=fail header.i=@linux-foundation.org header.s=google header.b=Zt2XR1D/; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754966AbeDCXzw (ORCPT + 99 others); Tue, 3 Apr 2018 19:55:52 -0400 Received: from mail-io0-f171.google.com ([209.85.223.171]:35772 "EHLO mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752813AbeDCXzt (ORCPT ); Tue, 3 Apr 2018 19:55:49 -0400 Received: by mail-io0-f171.google.com with SMTP id x77so17850223ioi.2; Tue, 03 Apr 2018 16:55:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=; b=NqaaFZCSH2fsCf7h0u0R6Y/tJ0xKozqryEdyiwhsHZLGsSZ3gOKn16+GkujeU4Pg3Y Pw9Cs14maPSpWyBlHeW5dlrKwsR4+ROz8egfY8totmog7aSfPgiR3YdfNK+Zcmeb4PpX 295LmZJzABRIaWrFXx2xCuYezfHyzEeDc8n87wJur32cJwuOZfeuSWnoZIHGT1/UlvyE NF9TX+8AYVowe/HZeiMsjkP7bvZ6YtN7A/3jygOPab9t4aPJRjj2QOONJyTCpUpV9E2N VgPhvD0hv0TX9jfTbKSFBkMY0atQdLke1P54ckENWVGS/fY+5MN0kdjH2hvEfUX4EJOJ o+rw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=; b=Zt2XR1D/t7Yo4fgcE3mAgI4LNRmd9VMzQuwgvVxGKhMXm7M93XKnFSXUvguyycj2+G FYAWYJHPoMsvr7H5nOxJ3Bv+k87Xk3i5Vf28pOQzc62T0ReZRUCol1sPFpJyh+x1fDwk Mtd1WG9+FnTCPmOPZGMjt9CHSHli2r0pbkqP8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=; b=F/UtDgYSJlR5D7TPKmdVAhWcKe3DWW4MEZXxjJHYVYvfRM6EHx0yzdUw90K4qHvkDh 5kHVJVRxh+sQAxN4eAFDBCLy+NCZT+P+Uqqx1KAOLTdfbliIVHqjSWHmlo3o8OeLijge Vn6f4HFocsqV7SzdWdjU6Bs5c0bAf/Cr4LgCzNEXNLZvxphEvq/NYzo6L5ec17GpGN8t e/pD5vUgHVVBfbcCCbUs5VmG0HNfqxdvJSCAJNIZ5N3gvyOD4ezlZ50wcSiPDhv50ASX 8wrM+Ig+fiQy4wZvsQthfRYHorQePGw8noWGyyQSqF2imFbUI5WR0xSvTsyCbma+j08+ TYvQ== X-Gm-Message-State: ALQs6tAorz6BuFC3++C8SYIMdOR5RrQBVADNn+jiTAGuBITlD4w3kw5z FglVWzY7MP9MWZvaeqWlnyxWm04xcWwsCXJiMF4= X-Received: by 10.107.10.219 with SMTP id 88mr15265183iok.259.1522799747803; Tue, 03 Apr 2018 16:55:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:55:47 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Linus Torvalds Date: Tue, 3 Apr 2018 16:55:47 -0700 X-Google-Sender-Auth: SxDQ3zdf_D8qAYXtve7XlUi364E Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Andrew Lutomirski , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 4:45 PM, Matthew Garrett wrote: >> Be honest now. It wasn't generally users who clamored for it. > > If you ask a user whether they want a system that lets an attacker replace > their kernel or one that doesn't, what do you think their answer is likely > to be? Goddamnit. We both know what the answer will be. And it will have *nothing* to do with secure boot. So *you* be honest now. Because you clearly aren't. Seriously. Go ask that question to a random person: "Do you want a system that lets an attacker replace their kernel or one that doesn't?" and don't ask anything else. Do you really think they'll answer "no, I don't want an attacker to replace my kernel, but only if I booted with secure boot"? Honestly, now. > Again, what is your proposed mechanism for ensuring that off the shelf > systems can be configured in a way that makes this possible? If you think lockdown is a good idea, and you enabled it, then IT IS ENABLED. No idiotic "secure boot or not" garbage. Because secure boot or not isn't *relevant*. Christ, we already have things like - CONFIG_STRICT_KERNEL_RWX - CONFIG_STRICT_DEVMEM - CONFIG_HARDENED_USERCOPY - CONFIG_MODULE_SIG_ALL (and friends) and absolutely *NONE* of them depend on whether the kernel was booted with secure boot or not. And I claim that it would be completely idiotic and broken if they did. And - not entirely unrelated - I claim that it is COMPLETELY IDIOTIC AND BROKEN to make some new "lockdown" option depend on it. Comprende? Really. Your arguments make no sense. They are all fundamentally broken for the simple reason that all your "but secure boot implies XYZ" are pure and utter bullshit, because all your arguments are valid whether secure boot happened or not. See? Secure boot has *NOTHING* do to with anything. It has nothing to do with loading only signed kernel modules. It has nothing to do with your lockdown patches. Either lockdown is good or not. It's that simple. But the goodness has nothing to do with secure boot. Linus