Received: by 10.213.65.68 with SMTP id h4csp148746imn; Tue, 3 Apr 2018 17:34:48 -0700 (PDT) X-Google-Smtp-Source: AIpwx48MbKi1MMp5vM0eXmKeh/MGL/1Uviv+DyvlrDdYE9U5HupYtBTjLyj0EJ/QlsTPfpGWjn78 X-Received: by 2002:a17:902:7d8a:: with SMTP id a10-v6mr7852014plm.268.1522802088041; Tue, 03 Apr 2018 17:34:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522802088; cv=none; d=google.com; s=arc-20160816; b=lORPp604v+ZmioxVeU7PlHe2nBfAdKRf+PtlNwUHxxPToLCp0+y6wnQStI5pZcmIfb GalkYqgND0lFUk1CoPJJ9vwnU6UbOfcItnT/o7dwT7folJDbMOH1zfarKE85RCglMwjO XAtADaSUGcjsjxWg+ARvPjzCrDx90whiyhc9pYKWnqOK02l8HDyIDEVKUNOROd0SW0rw Rl8LHPz8zaliplugqsDwfgZrD6BbABhm5J9NHvmtnPOedZVWdThyRjddsMMEdB4tuhKp u8d+F+bSB4lENcwRwvnsX5GcOIbz3uBJNzK1+4hIFLlHXfCkGeOmQAcl4igQytlU2c8R GE5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=; b=DMCBgmrKnPeo19YRjEEwv/HLB86jJyIl3wnAKv1E6N/jRfDP/2PX5RSmDEQkCSE6d6 Xb4v4uPJxVn0DswCArhiERsvSr2zS7MbzHqgurOPbjIS3HmzAasxzMdUwEk5TiMSE/QZ w/m/cB4Wthc6YUQHAuG2GtlEJmjoL1WUvjr7rtGGDsbB7QQD7R2kNgpeDkPaD3fUz4eg +uKlQGMm4XzU/V13IOov4jEanVMWmDbeKIT+1nslVJOY8KuYMuaMtE+lXCML2RTDWlMi pgq+/VfQswfMb/UuPRmMpe7v7Pt60mRWlAFwO6n5nys4m9xPQiTRwODxiK94X28NBsl8 IVKQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=QYhK3Vbh; dkim=fail header.i=@linux-foundation.org header.s=google header.b=ODOQVTDB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p10si3040942pff.72.2018.04.03.17.34.33; Tue, 03 Apr 2018 17:34:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=QYhK3Vbh; dkim=fail header.i=@linux-foundation.org header.s=google header.b=ODOQVTDB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753355AbeDDAd0 (ORCPT + 99 others); Tue, 3 Apr 2018 20:33:26 -0400 Received: from mail-it0-f47.google.com ([209.85.214.47]:55843 "EHLO mail-it0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751457AbeDDAdW (ORCPT ); Tue, 3 Apr 2018 20:33:22 -0400 Received: by mail-it0-f47.google.com with SMTP id 142-v6so25727055itl.5; Tue, 03 Apr 2018 17:33:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=; b=QYhK3VbhHJO15oWK8jEtihCZxSi6grfY4YlRhEfkzxJ42g0Jb+db5Bx/uVlaS8K6Bs 2FVO0VKBMioY8pLGNgJH1v9p37M0HuZYUpB560/xmfISX2F6q5CcdjhgpytcYCjGkc58 KsRCyCy0QbsKokZFoAJ7tGpRe6Vp7gH9/jwWg2n+ytEYtUeL6xIe0Cqvry7fmj/8LCni gWL24QqeMJwGatS8kIvjxT/IkWh0wkDqThRPWCxraGboDQpTA8RD65EQ23LezyQKfTby cU01sCa8WSMJeeIbHXrsXP1sf2BgAR9gkaVOUEWhsBys7VTQDTF8XBl6ZRzMqZX2a9D7 tcYg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=; b=ODOQVTDBmYvF30is7lEoqSN1XF3JltfS7LQpSRQkG7BEqj1LLw21GcTxWpbzfZtkv4 PHDHxhrntu+Sw880wJXzGnpHww4bRpFW2NBubvQfgJ8kuZESiirclraMFKXaHD8Y5x59 091kjyepZ9R4VNFPlTSKj5Sn8XPKcL6ndSYvI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=; b=NBAT/ReO6vJO66FfPutSUBvsbQPn5GlKIzscaaSWbGHzdmi49CtSUtsuKyW9xs/X7v 4oCVNbqIumhYo/NcpLR8EnRsPMZ2fBlWsllnqxwpLPQYtI740igyyHjVtcgPX31f1R8w ALn6vBh2ZdAgEiv50gcNRZKBA0z5ptzgs+A1UBs8W5DlnhYxsTl1O6SsxlN//YK29yJx s+gE/myroG60LSlMRRsuFGy42/vN3muy6ki93MMBWSe5tWq2ceupR54YUr1Np1hkdCWW a+7PJIoP0OuASu6Y017diAvWz3p4r0OQKXhUs7QTzcY3uiHBNLc/8iQTaMVEsIOka/kc pjcg== X-Gm-Message-State: ALQs6tAZkIaQGV97ilb+Mmr0Slt68IE5mc/ULzUFgCcfwDly5nPTTWuJ +gIj6j6CHgtEZiknlBjzuJPPZnXCvwG8IQjrCJk= X-Received: by 2002:a24:7693:: with SMTP id z141-v6mr7176552itb.113.1522802001434; Tue, 03 Apr 2018 17:33:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 17:33:20 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Linus Torvalds Date: Tue, 3 Apr 2018 17:33:20 -0700 X-Google-Sender-Auth: qrLtW_qo9TLTN5TfsUvf0bzh_fM Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Andrew Lutomirski , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 5:25 PM, Linus Torvalds wrote: > > Honestly, I don't think the patchset is viable at all in that case. .. or rather, it's probably viable only for distributions that already have reasons to only care about controlled hardware environments, ie Chromebooks etc. But a chome OS install wouldn't care about the whole "secure boot or not" issue anyway, because they'd also control that side, an they might as well just enable it unconditionally. In contrast, the generic distros can't enable it anyway if it breaks random hardware. And it wouldn't be about secure boot or not, but about the random hardware choice. Linus