Received: by 10.213.65.68 with SMTP id h4csp306148imn; Tue, 3 Apr 2018 21:33:18 -0700 (PDT) X-Google-Smtp-Source: AIpwx48r4z3ApxRJWSupmKE4y0wySQV0LuDYJv4wjLEnjuXQrH3lfA4T/ev4l29sCzr7arSI2Ffd X-Received: by 10.99.115.84 with SMTP id d20mr10969490pgn.362.1522816398886; Tue, 03 Apr 2018 21:33:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522816398; cv=none; d=google.com; s=arc-20160816; b=DvRsArNRWLJNfbi71qLFsB2soPhqfwGoJCJNlCpNuv02UvYxaGTGknlmFMX7Ala0/2 KHV9arCScaJdrVJEOs0YEINkUGBpD6ZwO1NUe4DWYs1m1opSTPMxQ2gZLnSVgJivHXlN rhvpoMCBiKEpua+TBh4Cm9YTBXlHH4/XeHJ3FZYgbI4Yc2xSOws42sdDknNAGvlSPo79 IUoMv0FszgXtWQFyC//vR1NJn+nJwrH3JyUPK7rjTqIuU+zy+gYb4AR8RELR4C7W+fw7 Os3b8cGjkQkipDbDR/Azb9DWQo/GwuxpF30m2UcYqQUmYDrNfCF4nS/SpIt2khr8TfnV Iqag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=LsanD4XpJ/paySMR6mWgwz10LDWUG44K/DPLRsDeM+M=; b=XrSdm7/ZsSCmzbXb5zBqNLTuk1BSChOx8CTSicLxjVMfI2iqKwyMSi24NPFxS/GyXt y4TqRplntS/uYGTZlb0wWaMDdu10fgA2hRcEKN8XLAgw6bL+xeTk4Ywt9cFBofCyLKYj SNefoZXZjg+x+BJYF557/H+pDCUK0Yn5wJKeykQt0mBf3brIGltQjxXpqm05Dcu4i5Vv HqXfBRQtSHR83KjspjqdSkJq+FMzotDh8UQl6p1ZJAjhnF1jthCcYV0cBYVJRf5Gx/+w oBNKwLKB4Q90TmpdMe551Ol5/i0FDmxMpLPdLpsSpuQWUEPr3Hxh7IVgCPfVNhlgZada 9XIg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=D7rcOnBP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b65si3459787pfk.265.2018.04.03.21.33.04; Tue, 03 Apr 2018 21:33:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=D7rcOnBP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751567AbeDDEcA (ORCPT + 99 others); Wed, 4 Apr 2018 00:32:00 -0400 Received: from mail-it0-f65.google.com ([209.85.214.65]:51692 "EHLO mail-it0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750853AbeDDEb5 (ORCPT ); Wed, 4 Apr 2018 00:31:57 -0400 Received: by mail-it0-f65.google.com with SMTP id b5-v6so15445412itj.1 for ; Tue, 03 Apr 2018 21:31:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LsanD4XpJ/paySMR6mWgwz10LDWUG44K/DPLRsDeM+M=; b=D7rcOnBP6tIbC7ss/DcpIFHB5rMhCHksPcBnk2KH2xOyekM2Yg8rfNKRdyXf9Nz6Rn UBjkzC3DJszuaeyj3IM1kvVCkWEgmNsXclgea9SSHtUxbOUwmOpUDq8DfhoLS9veWvnL Jqd6E56SelOOqWycULzCLhh2FEpEo13WUYo2aUkmd8dJke/81ZR1S5Br7fbxRxW9RC0w rnJ0P7Sy9OeSkRQ19fqWuNyDd1J/n5YRImuQMOFEo2kgSSaVySOcgcSDsv7/E/vJvFDb YLX0vuRpb9tLlU510rjPblYMfs822OaXboGdcu+CnsugaYbtU3NJpsWaZmjSyZmENK1b 3fFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LsanD4XpJ/paySMR6mWgwz10LDWUG44K/DPLRsDeM+M=; b=PW5ULkbc6Px0PseQpRLmOJrPqi20fz5UHWbT0Xt6yalomF2WA908qJU7+lNNx7+8CN r1z1iwHuqm+Qu8v7lY4f6ZcWQNoS4m5982f4HZBB2w3BmLoCn3Fh2B3wsLaEwlrmEmm2 CyZw06uLpnxwj04oXwTBHcvng/+0Q7P8gmZ+Vxl8TdIQZnD2AtrxvmCT2EnQ/lpkNzh9 sFQe9cvmMp2/pIYA19OFKnfPiCdNNgAcFBVSyTA64HpJU2xL1/EpIWzcMeiIkU8aSgDo lqWzs0vWhrSNFLHb9j+R26Wny5VO0S52NP7D84/nB4HaIvkNZOlRa59l4sF+ZtdU/3IP Mm0A== X-Gm-Message-State: ALQs6tBA/s3DIl7O8uHiOVMhc6gG+0sg+nPhAEOTJPaA1Cun8XD1jevX pvMPo7kxSwmagCk/3JY06GD0n9DHUpi3oux4jDhIgw== X-Received: by 2002:a24:25cb:: with SMTP id g194-v6mr7978714itg.85.1522816316640; Tue, 03 Apr 2018 21:31:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Matthew Garrett Date: Wed, 04 Apr 2018 04:31:46 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: alexei.starovoitov@gmail.com Cc: luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 7:34 PM Alexei Starovoitov < alexei.starovoitov@gmail.com> wrote: > If the only thing that folks are paranoid about is reading > arbitrary kernel memory with bpf_probe_read() helper > then preferred patch would be to disable it during verification > when in lockdown mode. > No run-time overhead and android folks will be happy > that lockdown doesn't break their work. > They converted out-of-tree networking accounting > module and corresponding user daemon to use bpf: https://www.linuxplumbersconf.org/2017/ocw/system/presentations/4791/original/eBPF%20cgroup%20filters%20for%20data%20usage%20accounting%20on%20Android.pdf An alternative would be to only disable kernel reads if the kernel contains secrets that aren't supposed to be readable by root. If the keyring is configured such that root can read everything, it seems like less of a concern?