Received: by 10.213.65.68 with SMTP id h4csp123862imn;
        Tue, 3 Apr 2018 17:00:30 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49D8u5XJgvCwVjVMrXT4wm5x0VG7EzEFMvK/kVnXxupK9PlzKzqJkKCVmwvPwlmF/7Cq2WV
X-Received: by 2002:a17:902:bd4a:: with SMTP id b10-v6mr14223943plx.271.1522800030299;
        Tue, 03 Apr 2018 17:00:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522800030; cv=none;
        d=google.com; s=arc-20160816;
        b=UJ+KloWjw4HnW8dGWrwMaXxGFAWdYtS67imt36uXc814ChYG9M4I96FNvfMPO+Feiy
         b7BmwFbK1lsXrpNJWOIhStSZtGrx06JMO+74dQPyNO66ya28XU2btk5w17TUPg5w4b87
         10aqHLwPu6NlV1GvhS8a6prEUNH0opN76geQ84iRIf5hPDr750YjttK5YNhs8Xa6rnz3
         lhjoCA8Lyu6MXb0FUzSyi3B9VJeP/aTuMNVn+9gljni66VRCoz3LVzkwNCG/gmudsMnz
         lcReK19VdZa21VlcSJRw66JJrOdZFl7U40UiNv+i4FyNmHrsoBwEbcJ67W+/XkL/S5wD
         Oqtg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=OpItFCcIXs5I4iw+U7cSvwWXAJ2QmFq2xqIwmiIK6zo=;
        b=p4NzyVD15m5ChMQuesU+AJmmXHJrm7n8Oe51ZGCPVR8L64B7i08Do5Tb+RRL9/uIDr
         6vPp4w030G7Jx5az3290uMrzkI+Nuv+MElz6n0QpyzqkF0cZSY6xhQid6LiNGSRtJAMn
         KriLsStQiZ891JN1/nEsocKFXO6DgCxyxUrNxGDzmLBvi4X1cDQaKx4+uALiV0+FpdlK
         vFIngPqmXqqbBP39mro33OJIJTUCIdOwiAxxWSxyhepuTaNZ/y5HRA7TF1THM68DrEgB
         WzOOIPDE28WWQ9BEPL7bGkkDmGFB1Q4WsP7p/DbWKv0hayCAYN5TASKLzndpzuHAIANk
         WM/g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=o5VkQAas;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=TwiKmmrE;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n5si3078092pfi.360.2018.04.03.17.00.16;
        Tue, 03 Apr 2018 17:00:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=o5VkQAas;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=TwiKmmrE;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755974AbeDCX7A (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 19:59:00 -0400
Received: from mail-io0-f193.google.com ([209.85.223.193]:42809 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754363AbeDCX65 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 19:58:57 -0400
Received: by mail-io0-f193.google.com with SMTP id d5so24104122iob.9;
        Tue, 03 Apr 2018 16:58:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=OpItFCcIXs5I4iw+U7cSvwWXAJ2QmFq2xqIwmiIK6zo=;
        b=o5VkQAasWMSG3pW9XVA0A4aQoDbnkuZHTH74MBHF1TntNEB2ItEWhpBNFxeR7uN3tC
         yAEpnpM4oVvjrhBTb9muOzh+SVZlkMu4zTFtQZFHXBJiL89rbnvH03XhooSEBXRgUtzx
         iZxL7hsd0GDUP69zwQV3ABE/VaFffD7k7sg0pKeHJgHz34fjyM0/xJu0wT06khT8VQUf
         AChiW3YOrcU+zyxo0cUWwWaQRxSZmuV2HE+yQwFU+QR+YqnuDQWlT53SzScvda5YzBOm
         HmJ+ZdDQakWwa4YcCAR2tPR5sWCjOGW1r7fBK+JkiYXovd7yAPpHelwm52gojF+ZYyIA
         SGZQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=OpItFCcIXs5I4iw+U7cSvwWXAJ2QmFq2xqIwmiIK6zo=;
        b=TwiKmmrEZdmdvR2qq4KjBrxvdxGaB4rkaRJkXpJZ+f6mQe3LIZvgDa4W70FimVJ+fb
         U6UXzHf+kOuSdaJGiv3tiKF8jN4gG6E7SCUof9/SQBuIkHxqxk/u9KQubGHW57QKAgrW
         eT/Tn9BAYfnr9Cb+4JLPb43r0QP2LQio/BPhg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=OpItFCcIXs5I4iw+U7cSvwWXAJ2QmFq2xqIwmiIK6zo=;
        b=QwpmkisGgFJ6e6KHVZPAX3n8me6X6gWFGSPIolAeRwxVFKBWnBczwzG6NtdTQbvuYs
         1LlkOqjlktXX5zqyMYAhXSOFYsWaL9EBCgU3b67MfRuyKlby8x+tt9wjHrE/5pmtHDiC
         WCK+2u/8cvnNSnUa+cCgV8nc0/HCNDl3/suNJE12+vV1L1HCtXSPGowwT134Kqlwy80y
         /AMmiONN6x4MFjusp8n3zozFudvyLASX6xJuI0BMGOWb0BmXb6/GvzsMIE+GddwMG9qA
         Lst/lkyUIdVSXJMjl6JgehBJRmZ8zxsCnpvVG/yt22LTxOaI+affzsfA3wWXjYgxx/gJ
         sTKQ==
X-Gm-Message-State: ALQs6tASklxiDZtDjmVM+aPPSpe4b+JCN1gvyryF+tIvG/cfjq4PXZKJ
        5ldMKO97DwwADUs0G+9AE9SxQRqQnPro92jxA/g=
X-Received: by 10.107.111.25 with SMTP id k25mr5851142ioc.257.1522799936429;
 Tue, 03 Apr 2018 16:58:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 16:58:55 -0700 (PDT)
In-Reply-To: <11444.1522799762@warthog.procyon.org.uk>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com> <11444.1522799762@warthog.procyon.org.uk>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 16:58:55 -0700
X-Google-Sender-Auth: cyyq1T8pU33kVQr3hGhmfEyM2kY
Message-ID: <CA+55aFx8hQRdBp-7Jv=62Acy9vU53shsd09gFXiE-OYN+ynHEA@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     David Howells <dhowells@redhat.com>
Cc:     Matthew Garrett <mjg59@google.com>,
        Andrew Lutomirski <luto@kernel.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 4:56 PM, David Howells <dhowells@redhat.com> wrote:
=>
> Most users haven't even given this a moment's thought, aren't even aware of
> the issues, don't even know to ask and, for them, it makes no difference.
> They trust their distribution to deal with stuff they don't know about.

Right.

Like perhaps trusting the distribution to just enable all those
security measures _regaredless_ of whether they booted in using secure
boot or not?

See?

If lockdown breaks something, the distro would need to fix it
regardless of secure boot.

So why is the enablement dependent on it again?

I'm not arguing "lockdown shouldn't be on".

I'm arguing "lockdown being on or off has _nothing_ to do with whether
the machine was booted in EFI mode with secure boot or not".

You don't seem to get it.

                Linus