Received: by 10.213.65.68 with SMTP id h4csp808218imn; Wed, 4 Apr 2018 07:37:38 -0700 (PDT) X-Google-Smtp-Source: AIpwx49wmQYIB9YZKGnS4eJwdhGtVVxbX/MyPXzVCUBXjFQVC0bKKwE3CygjcZ1vjMBxA75mlTgb X-Received: by 10.99.126.92 with SMTP id o28mr2235506pgn.50.1522852658725; Wed, 04 Apr 2018 07:37:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522852658; cv=none; d=google.com; s=arc-20160816; b=G4tWRDyWHE27m1LHTbc9WyfmRZ7tUNsITLMZjgIC6FHf13PwaDGTxXXfR72r5YiRks jKlOgIGYwcVyTcaDFL1xygjR7LvqXDsdZDXWMPB3Fz5I1U5c8mCSUfx/YMJtt9GeW4N6 +t20CkKKVk5gfPPXzRP3dgtWFSTIxnwGSwvbRket9I7WWRkjtmqd4Dt1ssC+FSoPsOav B1pH44Ny/1/wnb6x6GzgJ92NBk/5gRw+mFj7UstVCNwz3sigp2gyV218DKHuxAP9cpDQ D0ZYTGpkzmuvVwdK3GC3CIti5+zbRhRVPw0l+kkcDCSyGK2z0FVGwMbvPG34oyOV0ES4 dgvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=; b=eqNBoWagv8dbmliMZPzaZDr20lXKXiCQwzogsAi6kh7aMo0mUviGyut55Kv171FxCo zdrxujQ4a/mFx2pIz4PLp559pf+pfvRjrnEF1hfkPzawzKRNIrv/g/FyajF9AhbBDi4W U+ckJzzVlzmBHsrjarQFHbgncmV8YLKF5mQjOW9ZxLuhuxaw72xpsMF7n0Cz22f+hPNL jSlC6Nx3W4YgnU6pXAiFYCn1/phhaKr32v3BKZoZu3yaJ6VhHvOIZ9wT6t+wc/FcEnT1 hY8EqCWdpayML9YapMfHhPXkYNlrAVwCUo8ibEWzSt9FoEKFaz23AQ45nzScldpv1rUH 33jQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dtwELxtt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q7-v6si1146714plk.129.2018.04.04.07.37.23; Wed, 04 Apr 2018 07:37:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dtwELxtt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751426AbeDDOfp (ORCPT + 99 others); Wed, 4 Apr 2018 10:35:45 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:55766 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751167AbeDDOfl (ORCPT ); Wed, 4 Apr 2018 10:35:41 -0400 Received: by mail-it0-f68.google.com with SMTP id 142-v6so28410265itl.5 for ; Wed, 04 Apr 2018 07:35:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amacapital-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=; b=dtwELxttnoHiYPMW/p59fJ9t6rA5m0A7gvr3GDLN1cqIdV5L86581+cFB7NV9TUmMx qN85jGxv2LpYpMwKwdRh5C2g9mWTwtblA3Hw/5OZ5Z/2MLVgWQKLTouqwEl0bkSmpCSf w6ylf6fbxlT0ZJ5aJeZXmsoaSvH7U7cGU3BhxpXocxyjfPlQNtnhPXF+0j70hHhr1SH/ SuWmRyRmSJTsOhSzsSA3/RS2H+Mj68pz/3dqMT9ECiaoCOIWfFdrbdVy+n7Ewnv5e/X3 Q8mJdXRFv24cL9HO2q4+9rOEZ1Yogqf8/5DgDgNIw5TMtcY3wP0PlZO81JX4+Iwj2l5z I8NQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=; b=Foa0FmknWiL79L/AYV0UCVSebbdxnFgj5rPNG2BMiKFD8E/ZXsgHAYm2on5XGpuwaP rRCNAAieZOWO3Lr5dsQKvTTr/0l6ba6denHtKBaFhRPZjv8xHflbNVMMmVe73zBm4rWx 5Uhdia6hsIL3KbK0C+QyDaQdPvIzCAm4M1MK8o9U5T7U7d0tHG9xou2cyRu1Pf9RdH0C Slp1EUc1FWlUSCtCbHkwcLBRop5YBfMGWtGpMxG/dZTNXJ/suon78fGx1XeHZ2g76b2Z w1kNQ88qml/Z9zNhQ3SqTZOXGx1Ycy/J+suefQWdmCuvJwtoXNBSSevBiR0LK43iYq9i eceg== X-Gm-Message-State: AElRT7FT6hfYZGFzmeLWC3DuZ7AhoNWfOcZsvv+AUN7WfJRHWWqbNsrz Zopnxx2xqZJbAsyB81Qkt/bEqksAEzyygfYun4b48A== X-Received: by 2002:a24:530f:: with SMTP id n15-v6mr9231197itb.123.1522852541043; Wed, 04 Apr 2018 07:35:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Wed, 4 Apr 2018 07:35:20 -0700 (PDT) In-Reply-To: <20736.1522829117@warthog.procyon.org.uk> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> <20736.1522829117@warthog.procyon.org.uk> From: Andy Lutomirski Date: Wed, 4 Apr 2018 07:35:20 -0700 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: David Howells Cc: Andy Lutomirski , Jann Horn , Linus Torvalds , Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I've reordered your email to make my email more coherent. > On Apr 4, 2018, at 1:05 AM, David Howells wrote: > > > What we *have* said is that *if* we want to pass the secure boot state across > kexec, then we have to make sure that: > What do you even mean "pass the secure boot state across kexec"? All I can come up with is that you want a kexeced Linux kernel to also be passed a flag saying "I was secure booted" and to enable or disable lockdown accordingly. Let's consider the cases: 1. First kernel is verified (secure boot or otherwise) and locked down. Certainly that lock down needs to enforce that the next kernel in the chain is locked down, otherwise lockdown gets defeated. 2. First kernel is not verified but is locked down. It still needs to enforce that the next kernel is verified and locked down, otherwise lockdown gets defeated. 3. First kernel is verified but not locked down. There's very little point in trying to force the next kernel to be locked down. 4. First kernel is neither verified nor locked down. There's still no point in trying to force the next kernel to be locked down. Isn't the right solution to have a flag saying "force lockdown" that kexec can pass to the child kernel? A locked down parent kernel would refuse to load an unsigned child kernel and would always set that flag. > Andy Lutomirski wrote: > >> As far as I can tell, what's really going on here is that there's a >> significant contingent here that wants to prevent Linux from >> chainloading something that isn't Linux. > > You have completely the wrong end of the stick. No one has said that or even > implied that. You are alleging dishonesty on our part. I'm alleging that the idea that Linux seems some particular policy to avoid being blacklisted keeps being brought up as a justification for these patches. And, in fact, you bring it up again right here: > > And if someone tampers with the aim of breaking, say, Windows, then someone, > e.g. Microsoft, might blacklist the shim. In other words, if you chainload an intentionally corrupted copy of Windows, you get blacklisted? This sounds awfully like what I said upthread. Is this actually a real concern? Greg seems quite convinced that it isn't.