Received: by 10.213.65.68 with SMTP id h4csp703577imn;
        Wed, 4 Apr 2018 05:59:30 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+mm443iRaN0sgJdTDLD6gmpytNNia4nZSEoa1/q2W7L+GgQm0JMpl5JwSZ+ve6pwJio/ha
X-Received: by 2002:a17:902:5242:: with SMTP id z60-v6mr10238792plh.223.1522846770031;
        Wed, 04 Apr 2018 05:59:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522846769; cv=none;
        d=google.com; s=arc-20160816;
        b=Y+r9Z0nRujBUKWv3JqrnL7FlDa0fxqXi7sMysntLMe0OnVY9ogNN5WMyIZ3k54GbDR
         zUvfEfHw8uEq0g3WF93L4aC1RU+Bw2pGUEI83TOKmFei8MzKiKNlKOLSdgScMFxg/CES
         geDOoeg2GNrCKrspsLTs8C46BZ94QoWADptQo51fzRZSHNoCL4d//wErhvcXfG3pe5ur
         190j4WHtnMWpjOzaRYWPhW/dzuLJeHpbHiZ7YUiiw/zCIDI/F9DUN90o3I7wdfDR9MG5
         iNbLB+Wv3eDbfSxjQDVZDcfbiFp5Cm/GHo0+65uqK4aWMMafFFAfwk+M66NQ8a5tseum
         kZbA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:mail-followup-to
         :message-id:subject:cc:to:from:date:dkim-signature
         :arc-authentication-results;
        bh=WXtbz0g34TnB+aHPNFOAyD4ibj2WT80QKjUYESMt0X8=;
        b=TVLYE+Cq28V1B+0PZSrQm0pDJQQplT+3H7oVx2w+HTMQSP7DjJFj4ouWBmjc08DdMC
         uC/CD0KxEw5573vaISOn+H5FGyz6gnJQ0w8ZyJh+00S02+9ue228ng+YiJALP8tDrakX
         ZhqhKSLDURUx/M+liRLbMk+dUl/Ty1/FD/Vn/txiusVRN45wORWbZO7uQFy4b7AbayPt
         TPlA1jdXeD3Y56sGmiWrkdPQu1yKi6tnUk5Rg6fhott3CCB3DmBjwmErXaQHx9o3DNzO
         m8oPrTuGv/JU8PxOrG0HKvY6OVlKeGfLz07ZDBlrUORVNU8/Eja/E3RB3Wn0fIHpLHgW
         Z+dw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=Q99A8sxL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g8-v6si2804306plo.662.2018.04.04.05.59.15;
        Wed, 04 Apr 2018 05:59:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=Q99A8sxL;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751306AbeDDM5z (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 08:57:55 -0400
Received: from imap.thunk.org ([74.207.234.97]:60236 "EHLO imap.thunk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751097AbeDDM5w (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 08:57:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org;
         s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
        Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
        Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
        :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
        List-Post:List-Owner:List-Archive;
        bh=WXtbz0g34TnB+aHPNFOAyD4ibj2WT80QKjUYESMt0X8=; b=Q99A8sxLshFfPDj80LGLhVcTr5
        qyoOlGUg7QjQ4viDilC6NVs2zkbRvovqO/tL3t/0j7byiJTIBT9YaIzS6MC1l8wLqWLJoZxkNl2Bc
        z0ycdTKB5ZGTRdQEGtivNvkiADimyDn4nuLZJzcfN4kTuSclbls1jxL4KWfbua1NLMVE=;
Received: from root (helo=callcc.thunk.org)
        by imap.thunk.org with local-esmtp (Exim 4.89)
        (envelope-from <tytso@thunk.org>)
        id 1f3hyy-0002pV-AJ; Wed, 04 Apr 2018 12:57:44 +0000
Received: by callcc.thunk.org (Postfix, from userid 15806)
        id 8E5C27A2DEA; Wed,  4 Apr 2018 08:57:43 -0400 (EDT)
Date:   Wed, 4 Apr 2018 08:57:43 -0400
From:   "Theodore Y. Ts'o" <tytso@mit.edu>
To:     Matthew Garrett <mjg59@google.com>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>, luto@kernel.org,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>, jmorris@namei.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
Message-ID: <20180404125743.GB16242@thunk.org>
Mail-Followup-To: "Theodore Y. Ts'o" <tytso@mit.edu>,
        Matthew Garrett <mjg59@google.com>,
        Linus Torvalds <torvalds@linux-foundation.org>, luto@kernel.org,
        David Howells <dhowells@redhat.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>, jmorris@namei.org,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
References: <CACdnJuvFqXGLsAv1Km3MmdssHBfuH5-C_vG3A4eq4Yuj0HhFBA@mail.gmail.com>
 <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com>
 <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
 <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
 <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com>
 <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com>
 <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
 <CA+55aFxgrh5eeG9MRSEsJtyL5yTe0TehZ=BS2josGJaLxoMMBQ@mail.gmail.com>
 <CACdnJutuBaE3RaDx0KM5vDF9Sinrp=3tG9csrS-H3eU-J7-Utw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACdnJutuBaE3RaDx0KM5vDF9Sinrp=3tG9csrS-H3eU-J7-Utw@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 04, 2018 at 04:30:18AM +0000, Matthew Garrett wrote:
> What I'm afraid of is this turning into a "security" feature that ends up
> being circumvented in most scenarios where it's currently deployed - eg,
> module signatures are mostly worthless in the non-lockdown case because you
> can just grab the sig_enforce symbol address and then kexec a preamble that
> flips it back to N regardless of the kernel config.

Whoa.  Why doesn't lockdown prevent kexec?  Put another away, why
isn't this a problem for people who are fearful that Linux could be
used as part of a Windows boot virus in a Secure UEFI context?

If lockdown simply included a requirement for a signed kernel for
kexec --- and if kernel signing aren't available, to simply not alow
kexec, wouldn't that take care of this case?

This wouldn't even be all that much of a burden for non-distro users
with lockdown enabled, since in my experience outside of enterprise
and data center use cases, kexec isn't used --- and in fact, very
often kexec doesn't even work outside of a very carefully selected and
bug-fixed set of device drivers.  (It often doesn't work in non-distro
kernels because very few upstream developers really care about kexec.)

					- Ted