Received: by 10.213.65.68 with SMTP id h4csp148746imn;
        Tue, 3 Apr 2018 17:34:48 -0700 (PDT)
X-Google-Smtp-Source: AIpwx48MbKi1MMp5vM0eXmKeh/MGL/1Uviv+DyvlrDdYE9U5HupYtBTjLyj0EJ/QlsTPfpGWjn78
X-Received: by 2002:a17:902:7d8a:: with SMTP id a10-v6mr7852014plm.268.1522802088041;
        Tue, 03 Apr 2018 17:34:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522802088; cv=none;
        d=google.com; s=arc-20160816;
        b=lORPp604v+ZmioxVeU7PlHe2nBfAdKRf+PtlNwUHxxPToLCp0+y6wnQStI5pZcmIfb
         GalkYqgND0lFUk1CoPJJ9vwnU6UbOfcItnT/o7dwT7folJDbMOH1zfarKE85RCglMwjO
         XAtADaSUGcjsjxWg+ARvPjzCrDx90whiyhc9pYKWnqOK02l8HDyIDEVKUNOROd0SW0rw
         Rl8LHPz8zaliplugqsDwfgZrD6BbABhm5J9NHvmtnPOedZVWdThyRjddsMMEdB4tuhKp
         u8d+F+bSB4lENcwRwvnsX5GcOIbz3uBJNzK1+4hIFLlHXfCkGeOmQAcl4igQytlU2c8R
         GE5Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature:dkim-signature
         :arc-authentication-results;
        bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=;
        b=DMCBgmrKnPeo19YRjEEwv/HLB86jJyIl3wnAKv1E6N/jRfDP/2PX5RSmDEQkCSE6d6
         Xb4v4uPJxVn0DswCArhiERsvSr2zS7MbzHqgurOPbjIS3HmzAasxzMdUwEk5TiMSE/QZ
         w/m/cB4Wthc6YUQHAuG2GtlEJmjoL1WUvjr7rtGGDsbB7QQD7R2kNgpeDkPaD3fUz4eg
         +uKlQGMm4XzU/V13IOov4jEanVMWmDbeKIT+1nslVJOY8KuYMuaMtE+lXCML2RTDWlMi
         pgq+/VfQswfMb/UuPRmMpe7v7Pt60mRWlAFwO6n5nys4m9xPQiTRwODxiK94X28NBsl8
         IVKQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=QYhK3Vbh;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=ODOQVTDB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p10si3040942pff.72.2018.04.03.17.34.33;
        Tue, 03 Apr 2018 17:34:47 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=QYhK3Vbh;
       dkim=fail header.i=@linux-foundation.org header.s=google header.b=ODOQVTDB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753355AbeDDAd0 (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 20:33:26 -0400
Received: from mail-it0-f47.google.com ([209.85.214.47]:55843 "EHLO
        mail-it0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751457AbeDDAdW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 20:33:22 -0400
Received: by mail-it0-f47.google.com with SMTP id 142-v6so25727055itl.5;
        Tue, 03 Apr 2018 17:33:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=;
        b=QYhK3VbhHJO15oWK8jEtihCZxSi6grfY4YlRhEfkzxJ42g0Jb+db5Bx/uVlaS8K6Bs
         2FVO0VKBMioY8pLGNgJH1v9p37M0HuZYUpB560/xmfISX2F6q5CcdjhgpytcYCjGkc58
         KsRCyCy0QbsKokZFoAJ7tGpRe6Vp7gH9/jwWg2n+ytEYtUeL6xIe0Cqvry7fmj/8LCni
         gWL24QqeMJwGatS8kIvjxT/IkWh0wkDqThRPWCxraGboDQpTA8RD65EQ23LezyQKfTby
         cU01sCa8WSMJeeIbHXrsXP1sf2BgAR9gkaVOUEWhsBys7VTQDTF8XBl6ZRzMqZX2a9D7
         tcYg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=;
        b=ODOQVTDBmYvF30is7lEoqSN1XF3JltfS7LQpSRQkG7BEqj1LLw21GcTxWpbzfZtkv4
         PHDHxhrntu+Sw880wJXzGnpHww4bRpFW2NBubvQfgJ8kuZESiirclraMFKXaHD8Y5x59
         091kjyepZ9R4VNFPlTSKj5Sn8XPKcL6ndSYvI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=zpYgGmEsN2Vq47oV+OqSynVd6mwyba2JKdt2pKmdci4=;
        b=NBAT/ReO6vJO66FfPutSUBvsbQPn5GlKIzscaaSWbGHzdmi49CtSUtsuKyW9xs/X7v
         4oCVNbqIumhYo/NcpLR8EnRsPMZ2fBlWsllnqxwpLPQYtI740igyyHjVtcgPX31f1R8w
         ALn6vBh2ZdAgEiv50gcNRZKBA0z5ptzgs+A1UBs8W5DlnhYxsTl1O6SsxlN//YK29yJx
         s+gE/myroG60LSlMRRsuFGy42/vN3muy6ki93MMBWSe5tWq2ceupR54YUr1Np1hkdCWW
         a+7PJIoP0OuASu6Y017diAvWz3p4r0OQKXhUs7QTzcY3uiHBNLc/8iQTaMVEsIOka/kc
         pjcg==
X-Gm-Message-State: ALQs6tAZkIaQGV97ilb+Mmr0Slt68IE5mc/ULzUFgCcfwDly5nPTTWuJ
        +gIj6j6CHgtEZiknlBjzuJPPZnXCvwG8IQjrCJk=
X-Received: by 2002:a24:7693:: with SMTP id z141-v6mr7176552itb.113.1522802001434;
 Tue, 03 Apr 2018 17:33:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.95.15 with HTTP; Tue, 3 Apr 2018 17:33:20 -0700 (PDT)
In-Reply-To: <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com>
 <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
 <CA+55aFwVUmjZ+Swe9xUdDOEE+EOoaU3dh7BcrH74BOLCi8y_Kw@mail.gmail.com>
 <CACdnJuvqQQ+hidokY5GA7g-yrAs5-358it0cs+m_d4RFDMuB_w@mail.gmail.com>
 <CA+55aFwJBGCr-anrdV9N63fUH4V_QJqgr0_fJyHhH=fuqGAoog@mail.gmail.com>
 <CACdnJuvFqXGLsAv1Km3MmdssHBfuH5-C_vG3A4eq4Yuj0HhFBA@mail.gmail.com>
 <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com> <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Tue, 3 Apr 2018 17:33:20 -0700
X-Google-Sender-Auth: qrLtW_qo9TLTN5TfsUvf0bzh_fM
Message-ID: <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Matthew Garrett <mjg59@google.com>
Cc:     Andrew Lutomirski <luto@kernel.org>,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 5:25 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> Honestly, I don't think the patchset is viable at all in that case.

.. or rather, it's probably viable only for distributions that already
have reasons to only care about controlled hardware environments, ie
Chromebooks etc.

But a chome OS install wouldn't care about the whole "secure boot or
not" issue anyway, because they'd also control that side, an they
might as well just enable it unconditionally.

In contrast, the generic distros can't enable it anyway if it breaks
random hardware.  And it wouldn't be about secure boot or not, but
about the random hardware choice.

             Linus