Received: by 10.213.65.68 with SMTP id h4csp177581imn;
        Tue, 3 Apr 2018 18:15:04 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49rnM7tm3ps6TI0WB393/hRitu4T/zVajnXNEoAqs/ARCX3j/9gL0SnpOTIaO889hUY3fF5
X-Received: by 2002:a17:902:7042:: with SMTP id h2-v6mr16028670plt.370.1522804504790;
        Tue, 03 Apr 2018 18:15:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522804504; cv=none;
        d=google.com; s=arc-20160816;
        b=P9SoloHpbuJW68huQSwmx5eS15hw65zwtmjf0a4iIeie2vczxN4GFM5KtzEvOCDGTO
         Bogzcm9C52EL2pO7qtEEoO5kkO5z3fdCVPtoR0mf/c9IBFvQkc2HJ//2kcXjzCyV8NaY
         gELIEwFOgX6ZC9F/Ot9wSjPXfELPCJuwq0K6G9+gTN9apv0nmP0nnXZLSuJ4SmM3pOhW
         pcMWgQeBzISty2AfegKUqFzVpI7WLffoaDGiU2DEkRkT+OX3VJfizS0ekr9rSt9MMdmR
         V1iywK9UcNgIbfbsEVXqHVzihmu16Sa9kaBBv9Cmn+37HRbLyr2w/qBD3kLaCfsF5Dg4
         QTlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=dbEktzfq/AIHSEd27EjHZ37xV4IblUBHGuJiqXz9kfU=;
        b=0Ls2cQdV2REv76h3JtcdVW36TlFRua3s/7P13VAKXCR5UM+slbaxdt9+XWwq3nvbNY
         JyS6pas7JGQOyZKD/RmYuQiZzWTGXhyr/VcqTYTeRDFvFw5omNAS3KNin8gwn/d2IIjL
         aZXe1MiAQjYR5KwnaxLEoRCcIJWik14BYMBO8FFI2BziIy7FStg4bOB8ci/nhNlcXO/o
         WS1FUldIA+XryISx3pJp42jqSvdyQBZgMl6QlxOqh/jtn8x3WZ+4io6uNYHae7dtP2w1
         4UbUVxhqj+jqKY/er8prm1TMpn/Xx8s5TPgl+ty2n3aXm1BAMqWeD91VcGfiMpE2y6aw
         n+sg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=SDjgmioN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y21si3224423pfi.195.2018.04.03.18.14.51;
        Tue, 03 Apr 2018 18:15:04 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=SDjgmioN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755155AbeDDBN1 (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 3 Apr 2018 21:13:27 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:44685 "EHLO
        mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755130AbeDDBNW (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 3 Apr 2018 21:13:22 -0400
Received: by mail-io0-f196.google.com with SMTP id d7so24251589ioc.11
        for <linux-kernel@vger.kernel.org>; Tue, 03 Apr 2018 18:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=dbEktzfq/AIHSEd27EjHZ37xV4IblUBHGuJiqXz9kfU=;
        b=SDjgmioNzX+ZPi1N4B75B8brbutHkycpI6QFwWUk5qK4e+1De41l1rHg7NxTEeW0F1
         03RvMKC42JqbHdP6xPiGDfX9/gQG2DZ19HRkCUPfOtmyN7svLBy11RTBg04CUIsg9S1H
         uOvF2LnJf4BmkUVEg1evkKUdaiPrnB/XwziiSOiyFYWtJG8gKuirEXUxTC+axRo5mhZq
         PPYymk2Fih5mxlO1jBLNjSF/eQ6uB1PBKECLfIq3eZRTzkfM9vJ/3GbVodDfGk3IYff7
         w8ZY7W4rWbGBaJFqXatkOx3EaobbUdCuOH5svQe8m3pe05kSt+co69R16Yz6KNzKSeqO
         FpVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=dbEktzfq/AIHSEd27EjHZ37xV4IblUBHGuJiqXz9kfU=;
        b=Qgph2O+FcrsWLPUQ/Y81l9bjRRw5Rct8e4jekYBPZeFBnFnSlzZrN4lvV9X0DRXaR4
         SW+ROACLnnqbEQXJf+5/hcBa/TW1VkJQHSOCcSW2xHKKOOf5ffv1UopA+Kk/u6uILjYz
         JhPaTO9e8yV5TLMa09aJ6DiIrh5Pcq4t3a4Op8GIdpd/oOuc+s9ZfUxxlXk5AHTrkvqs
         j4kWCsYe+UKehgOTOlq5BvOIPVHr+7Ie+UbH8VdhIgQ3wN2/bXuad9MzuQAc5f6Rg+zZ
         OL6pPoE4M/J3QbdoGpLmaOH7FMmbn0VBYfCuwEPn6u18M21WVrcPBq54KODji34ASv7Y
         OrXA==
X-Gm-Message-State: ALQs6tBdzXui/l1+XFAWxaBQGHCZo8hFlAz/iho/1IFFwc1B+O7c3uQu
        fZlLveVdSv8DP028SJH52rso7ij7fvGeEx2IqZmeqA==
X-Received: by 10.107.11.198 with SMTP id 67mr14181146iol.43.1522804401407;
 Tue, 03 Apr 2018 18:13:21 -0700 (PDT)
MIME-Version: 1.0
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CA+55aFzG==xr2OLK8F03RH0nkUDeP6btWqepFTuHZqkPTAOWjQ@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com>
 <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
 <CA+55aFwVUmjZ+Swe9xUdDOEE+EOoaU3dh7BcrH74BOLCi8y_Kw@mail.gmail.com>
 <CACdnJuvqQQ+hidokY5GA7g-yrAs5-358it0cs+m_d4RFDMuB_w@mail.gmail.com>
 <CA+55aFwJBGCr-anrdV9N63fUH4V_QJqgr0_fJyHhH=fuqGAoog@mail.gmail.com>
 <CACdnJuvFqXGLsAv1Km3MmdssHBfuH5-C_vG3A4eq4Yuj0HhFBA@mail.gmail.com>
 <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com>
 <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
 <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
 <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com> <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com>
In-Reply-To: <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Wed, 04 Apr 2018 01:13:10 +0000
Message-ID: <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     luto@kernel.org, David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>, jmorris@namei.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 3, 2018 at 5:56 PM Linus Torvalds
<torvalds@linux-foundation.org>
wrote:

> On Tue, Apr 3, 2018 at 5:46 PM, Matthew Garrett <mjg59@google.com> wrote:
> >
> > The generic distros have been shipping this policy for the past 5 years.

> .. so apparently it doesn't actually break things? Why not enable it
> by default then?

Because it does break things, and the documented fix is "Disable Secure
Boot by running mokutil --disable-validation".

> And if "turn off secure boot" really is the accepted - and actuially
> used - workaround for the breakage, then

>     WHY THE HELL DIDN'T YOU START OFF BY EXPLAINING THAT IN THE FIRST
> PLACE WHEN PEOPLE ASKED WHY THE TIE-IN EXISTED?

> Sorry for shouting, but really. We have a thread of just *how* many
> email messages that asked for the explanation for this? All we got was
> incomprehensible and illogical crap explanations.

There are four cases:

Verified Boot off, lockdown off: Status quo in distro and mainline kernels
Verified Boot off, lockdown on: Perception of security improvement that's
trivially circumvented (and so bad)
Verified Boot on, lockdown off: Perception of security improvement that's
trivially circumvented (and so bad), status quo in mainline kernels
Verified Boot on, lockdown on: Security improvement, status quo in distro
kernels

Of these four options, only two make sense. The most common implementation
of Verified Boot on x86 platforms is UEFI Secure Boot, so this patchset
includes an option that (if set) results in the kernel doing the right
thing without user intervention. This makes it easy for a user to switch
between the two states that make sense by running a single command and then
following some prompts on the next reboot. The alternative would be to
provide a signed kernel that always enabled lockdown and an unsigned kernel
that didn't, which would (a) increase load on distributions and (b) force
users to both run mokutil --disable-validation and also install a different
kernel.

I'm sorry if I've appeared tetchy in this discussion - having several of my
coworkers shot has not done wonders for my mood.