Received: by 10.213.65.68 with SMTP id h4csp121705imn;
        Tue, 3 Apr 2018 16:57:28 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+B65z6u5GDG1x+aFeO0qo/ZXdbJF4C24AEHjRth8ejbuFJmNvnnqTGaszOhilOhk9Qmr5K
X-Received: by 2002:a17:902:1681:: with SMTP id h1-v6mr8165973plh.145.1522799847985;
        Tue, 03 Apr 2018 16:57:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522799847; cv=none;
        d=google.com; s=arc-20160816;
        b=qQDo3VTJgxWe1g01zSgQ2D3b2jbEOvtxry3vll2csXdrlzNGmSmdajmeK+Ozhvoo21
         KEZ3/+JgWJUooY7AYAHGxpMY7juIra9bkvudma+Tp8TSkyqrpcAD4Zy2BRQvI0zsS8Xy
         r8iafePyXm5kl7Wt5Fh3kVkAdpLZQf8UBxKuxynhgp8O712POCOHuZ8sW97slEy5VKY+
         YDJHGsY/+m+jpgVyuafxASJNFZ2z2i/d9BPblK4UFaiLE8H6KuKiOcv5cJIKJ4q/Gg06
         khTWfy2agWmvSL1ubhdW/HC+FeaCT5xRDD6FK4syupFLlBeWi1fOoPOZYXvU5Pi4ekno
         1FMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=;
        b=SrFzF9EQVJs7SAxqbTwTyepFWlLrgd1w071SurUStD5aLcQzBI4hj2rOk+VM5MOXpX
         t0NxM2/rQp9vymIv3EcUyR7/k187h2u8MgBNHxzoycCelafkQmffF6oJFA57log6eauk
         8c4gRXrRHNORei9boVW5qn/S0rDq6trAeLyj5w+GUT/Ckuukq7BxUfESlApJqL1NXtYx
         H3tdojrsorpYiA2UafcimwGKaZTeZms7JQWa0kPEZmidNl3hsLTDctW2LixCo9r2TKwM
         FB3sVfVQvcAnGWTXrjWPKrsiUzDxeD3lGPN5t1FuNDeusNgbRUnL9z7P6EA4f6v8TyXd
         j8Sw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=NqaaFZCS;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=Zt2XR1D/;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 31-v6si4019000plj.703.2018.04.03.16.57.12;
        Tue, 03 Apr 2018 16:57:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=NqaaFZCS;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=Zt2XR1D/;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754966AbeDCXzw (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:55:52 -0400
Received: from mail-io0-f171.google.com ([209.85.223.171]:35772 "EHLO
        mail-io0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752813AbeDCXzt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:55:49 -0400
Received: by mail-io0-f171.google.com with SMTP id x77so17850223ioi.2;
        Tue, 03 Apr 2018 16:55:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=;
        b=NqaaFZCSH2fsCf7h0u0R6Y/tJ0xKozqryEdyiwhsHZLGsSZ3gOKn16+GkujeU4Pg3Y
         Pw9Cs14maPSpWyBlHeW5dlrKwsR4+ROz8egfY8totmog7aSfPgiR3YdfNK+Zcmeb4PpX
         295LmZJzABRIaWrFXx2xCuYezfHyzEeDc8n87wJur32cJwuOZfeuSWnoZIHGT1/UlvyE
         NF9TX+8AYVowe/HZeiMsjkP7bvZ6YtN7A/3jygOPab9t4aPJRjj2QOONJyTCpUpV9E2N
         VgPhvD0hv0TX9jfTbKSFBkMY0atQdLke1P54ckENWVGS/fY+5MN0kdjH2hvEfUX4EJOJ
         o+rw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=;
        b=Zt2XR1D/t7Yo4fgcE3mAgI4LNRmd9VMzQuwgvVxGKhMXm7M93XKnFSXUvguyycj2+G
         FYAWYJHPoMsvr7H5nOxJ3Bv+k87Xk3i5Vf28pOQzc62T0ReZRUCol1sPFpJyh+x1fDwk
         Mtd1WG9+FnTCPmOPZGMjt9CHSHli2r0pbkqP8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=hILyIhtsTAveGJNX4r2+2DOi5T8tjikBX2n2iPJCGPg=;
        b=F/UtDgYSJlR5D7TPKmdVAhWcKe3DWW4MEZXxjJHYVYvfRM6EHx0yzdUw90K4qHvkDh
         5kHVJVRxh+sQAxN4eAFDBCLy+NCZT+P+Uqqx1KAOLTdfbliIVHqjSWHmlo3o8OeLijge
         Vn6f4HFocsqV7SzdWdjU6Bs5c0bAf/Cr4LgCzNEXNLZvxphEvq/NYzo6L5ec17GpGN8t
         e/pD5vUgHVVBfbcCCbUs5VmG0HNfqxdvJSCAJNIZ5N3gvyOD4ezlZ50wcSiPDhv50ASX
         8wrM+Ig+fiQy4wZvsQthfRYHorQePGw8noWGyyQSqF2imFbUI5WR0xSvTsyCbma+j08+
         TYvQ==
X-Gm-Message-State: ALQs6tAorz6BuFC3++C8SYIMdOR5RrQBVADNn+jiTAGuBITlD4w3kw5z
        FglVWzY7MP9MWZvaeqWlnyxWm04xcWwsCXJiMF4=
X-Received: by 10.107.10.219 with SMTP id 88mr15265183iok.259.1522799747803;
 Tue, 03 Apr 2018 16:55:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:55:47 -0700 (PDT)
In-Reply-To: <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com> <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 16:55:47 -0700
X-Google-Sender-Auth: SxDQ3zdf_D8qAYXtve7XlUi364E
Message-ID: <CA+55aFwVUmjZ+Swe9xUdDOEE+EOoaU3dh7BcrH74BOLCi8y_Kw@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 4:45 PM, Matthew Garrett <mjg59@google.com> wrote:
>> Be honest now. It wasn't generally users who clamored for it.
>
> If you ask a user whether they want a system that lets an attacker replace
> their kernel or one that doesn't, what do you think their answer is likely
> to be?

Goddamnit.

We both know what the answer will be.

And it will have *nothing* to do with secure boot.

So *you* be honest now.

Because you clearly aren't.

Seriously. Go ask that question to a random person:

 "Do you want a system that lets an attacker replace their kernel or
one that doesn't?"

and don't ask anything else.

Do you really think they'll answer "no, I don't want an attacker to
replace my kernel, but only if I booted with secure boot"?

Honestly, now.

> Again, what is your proposed mechanism for ensuring that off the shelf
> systems can be configured in a way that makes this possible?

If you think lockdown is a good idea, and you enabled it, then IT IS ENABLED.

No idiotic "secure boot or not" garbage.

Because secure boot or not isn't *relevant*.

Christ, we already have things like

 - CONFIG_STRICT_KERNEL_RWX

 - CONFIG_STRICT_DEVMEM

 - CONFIG_HARDENED_USERCOPY

 - CONFIG_MODULE_SIG_ALL (and friends)

and absolutely *NONE* of them depend on whether the kernel was booted
with secure boot or not.

And I claim that it would be completely idiotic and broken if they did.

And - not entirely unrelated - I claim that it is COMPLETELY IDIOTIC
AND BROKEN to make some new "lockdown" option depend on it.

Comprende?

Really. Your arguments make no sense. They are all fundamentally
broken for the simple reason that all your "but secure boot implies
XYZ" are pure and utter bullshit, because all your arguments are valid
whether secure boot happened or not.

See? Secure boot has *NOTHING* do to with anything.  It has nothing to
do with loading only signed kernel modules. It has nothing to do with
your lockdown patches.

Either lockdown is good or not. It's that simple. But the goodness has
nothing to do with secure boot.

              Linus