Received: by 10.213.65.68 with SMTP id h4csp808218imn;
        Wed, 4 Apr 2018 07:37:38 -0700 (PDT)
X-Google-Smtp-Source: AIpwx49wmQYIB9YZKGnS4eJwdhGtVVxbX/MyPXzVCUBXjFQVC0bKKwE3CygjcZ1vjMBxA75mlTgb
X-Received: by 10.99.126.92 with SMTP id o28mr2235506pgn.50.1522852658725;
        Wed, 04 Apr 2018 07:37:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522852658; cv=none;
        d=google.com; s=arc-20160816;
        b=G4tWRDyWHE27m1LHTbc9WyfmRZ7tUNsITLMZjgIC6FHf13PwaDGTxXXfR72r5YiRks
         jKlOgIGYwcVyTcaDFL1xygjR7LvqXDsdZDXWMPB3Fz5I1U5c8mCSUfx/YMJtt9GeW4N6
         +t20CkKKVk5gfPPXzRP3dgtWFSTIxnwGSwvbRket9I7WWRkjtmqd4Dt1ssC+FSoPsOav
         B1pH44Ny/1/wnb6x6GzgJ92NBk/5gRw+mFj7UstVCNwz3sigp2gyV218DKHuxAP9cpDQ
         D0ZYTGpkzmuvVwdK3GC3CIti5+zbRhRVPw0l+kkcDCSyGK2z0FVGwMbvPG34oyOV0ES4
         dgvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=;
        b=eqNBoWagv8dbmliMZPzaZDr20lXKXiCQwzogsAi6kh7aMo0mUviGyut55Kv171FxCo
         zdrxujQ4a/mFx2pIz4PLp559pf+pfvRjrnEF1hfkPzawzKRNIrv/g/FyajF9AhbBDi4W
         U+ckJzzVlzmBHsrjarQFHbgncmV8YLKF5mQjOW9ZxLuhuxaw72xpsMF7n0Cz22f+hPNL
         jSlC6Nx3W4YgnU6pXAiFYCn1/phhaKr32v3BKZoZu3yaJ6VhHvOIZ9wT6t+wc/FcEnT1
         hY8EqCWdpayML9YapMfHhPXkYNlrAVwCUo8ibEWzSt9FoEKFaz23AQ45nzScldpv1rUH
         33jQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dtwELxtt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q7-v6si1146714plk.129.2018.04.04.07.37.23;
        Wed, 04 Apr 2018 07:37:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amacapital-net.20150623.gappssmtp.com header.s=20150623 header.b=dtwELxtt;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751426AbeDDOfp (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 10:35:45 -0400
Received: from mail-it0-f68.google.com ([209.85.214.68]:55766 "EHLO
        mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751167AbeDDOfl (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 10:35:41 -0400
Received: by mail-it0-f68.google.com with SMTP id 142-v6so28410265itl.5
        for <linux-kernel@vger.kernel.org>; Wed, 04 Apr 2018 07:35:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=amacapital-net.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=;
        b=dtwELxttnoHiYPMW/p59fJ9t6rA5m0A7gvr3GDLN1cqIdV5L86581+cFB7NV9TUmMx
         qN85jGxv2LpYpMwKwdRh5C2g9mWTwtblA3Hw/5OZ5Z/2MLVgWQKLTouqwEl0bkSmpCSf
         w6ylf6fbxlT0ZJ5aJeZXmsoaSvH7U7cGU3BhxpXocxyjfPlQNtnhPXF+0j70hHhr1SH/
         SuWmRyRmSJTsOhSzsSA3/RS2H+Mj68pz/3dqMT9ECiaoCOIWfFdrbdVy+n7Ewnv5e/X3
         Q8mJdXRFv24cL9HO2q4+9rOEZ1Yogqf8/5DgDgNIw5TMtcY3wP0PlZO81JX4+Iwj2l5z
         I8NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=9gf2YKMTqTO5UFPJ6VOF98XiPNso8BhGN/R6e2xICjk=;
        b=Foa0FmknWiL79L/AYV0UCVSebbdxnFgj5rPNG2BMiKFD8E/ZXsgHAYm2on5XGpuwaP
         rRCNAAieZOWO3Lr5dsQKvTTr/0l6ba6denHtKBaFhRPZjv8xHflbNVMMmVe73zBm4rWx
         5Uhdia6hsIL3KbK0C+QyDaQdPvIzCAm4M1MK8o9U5T7U7d0tHG9xou2cyRu1Pf9RdH0C
         Slp1EUc1FWlUSCtCbHkwcLBRop5YBfMGWtGpMxG/dZTNXJ/suon78fGx1XeHZ2g76b2Z
         w1kNQ88qml/Z9zNhQ3SqTZOXGx1Ycy/J+suefQWdmCuvJwtoXNBSSevBiR0LK43iYq9i
         eceg==
X-Gm-Message-State: AElRT7FT6hfYZGFzmeLWC3DuZ7AhoNWfOcZsvv+AUN7WfJRHWWqbNsrz
        Zopnxx2xqZJbAsyB81Qkt/bEqksAEzyygfYun4b48A==
X-Received: by 2002:a24:530f:: with SMTP id n15-v6mr9231197itb.123.1522852541043;
 Wed, 04 Apr 2018 07:35:41 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.137.70 with HTTP; Wed, 4 Apr 2018 07:35:20 -0700 (PDT)
In-Reply-To: <20736.1522829117@warthog.procyon.org.uk>
References: <4136.1522452584@warthog.procyon.org.uk> <alpine.LRH.2.21.1803311145180.7769@namei.org>
 <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk>
 <CALCETrUFOdrH5ShCCd8yguGjC2NtG8fJY7AW26HH467-02UVGA@mail.gmail.com>
 <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
 <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com>
 <9758.1522775763@warthog.procyon.org.uk> <CALCETrWHS9p1My=j07=V=OP7v4SwQkW-kJ3JOx6EbPU8fb_XEQ@mail.gmail.com>
 <13189.1522784944@warthog.procyon.org.uk> <CALCETrX4CuHVpn38R24TCcJgCBLSbh-sOD-qcD5kYF8Zo53ZJw@mail.gmail.com>
 <9349.1522794769@warthog.procyon.org.uk> <CALCETrV6E+r942K+fu-ALNf-x6qOZ3o1hNKGeu7qEMvr8sMP9A@mail.gmail.com>
 <CA+55aFxKzxdRZthzaokaGPAsWCp3a-p3aVfJSutF+9Fp9sbaVA@mail.gmail.com>
 <CACdnJusSfwULV-ubvgtYd8G_cTF4LnJ4DAeTCux4XRhHKVpBUw@mail.gmail.com>
 <CACdnJuv_=ihPut=5OvCYEphdBOn7+JrKacBbNa0n3wv_JvFMzg@mail.gmail.com>
 <CA+55aFyWNok1K-Jo3TQAXGXHvFOTvuOb-Hw977B9RGjBa7prrg@mail.gmail.com>
 <CACdnJutZFKX+izBxRYbyxefT5KrKhVV0XsymU=vBhywd+TOE3A@mail.gmail.com>
 <CA+55aFwVUmjZ+Swe9xUdDOEE+EOoaU3dh7BcrH74BOLCi8y_Kw@mail.gmail.com>
 <CACdnJuvqQQ+hidokY5GA7g-yrAs5-358it0cs+m_d4RFDMuB_w@mail.gmail.com>
 <CA+55aFwJBGCr-anrdV9N63fUH4V_QJqgr0_fJyHhH=fuqGAoog@mail.gmail.com>
 <CAG48ez1MRsDGoea5MwGTXK6R0LJy9u0mX-1VrSSskwnV98kEjQ@mail.gmail.com>
 <CALCETrXZWU1MC8LbLCg7VTVHMqKpXh51amnTjKePRCJ31jRiwg@mail.gmail.com> <20736.1522829117@warthog.procyon.org.uk>
From:   Andy Lutomirski <luto@amacapital.net>
Date:   Wed, 4 Apr 2018 07:35:20 -0700
Message-ID: <CALCETrUaKOG1q43W=UBPue5TAL61zzwzgr8QeH3Yh6KsMUA2aQ@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     David Howells <dhowells@redhat.com>
Cc:     Andy Lutomirski <luto@kernel.org>, Jann Horn <jannh@google.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Matthew Garrett <mjg59@google.com>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Justin Forbes <jforbes@redhat.com>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I've reordered your email to make my email more coherent.

> On Apr 4, 2018, at 1:05 AM, David Howells <dhowells@redhat.com> wrote:
>

>
> What we *have* said is that *if* we want to pass the secure boot state across
> kexec, then we have to make sure that:
>

What do you even mean "pass the secure boot state across kexec"?  All
I can come up with is that you want a kexeced Linux kernel to also be
passed a flag saying "I was secure booted" and to enable or disable
lockdown accordingly.  Let's consider the cases:

1. First kernel is verified (secure boot or otherwise) and locked
down.  Certainly that lock down needs to enforce that the next kernel
in the chain is locked down, otherwise lockdown gets defeated.

2. First kernel is not verified but is locked down.  It still needs to
enforce that the next kernel is verified and locked down, otherwise
lockdown gets defeated.

3. First kernel is verified but not locked down.  There's very little
point in trying to force the next kernel to be locked down.

4. First kernel is neither verified nor locked down.  There's still no
point in trying to force the next kernel to be locked down.

Isn't the right solution to have a flag saying "force lockdown" that
kexec can pass to the child kernel?  A locked down parent kernel would
refuse to load an unsigned child kernel and would always set that
flag.

> Andy Lutomirski <luto@kernel.org> wrote:
>
>> As far as I can tell, what's really going on here is that there's a
>> significant contingent here that wants to prevent Linux from
>> chainloading something that isn't Linux.
>
> You have completely the wrong end of the stick.  No one has said that or even
> implied that.  You are alleging dishonesty on our part.

I'm alleging that the idea that Linux seems some particular policy to
avoid being blacklisted keeps being brought up as a justification for
these patches.  And, in fact, you bring it up again right here:

>
> And if someone tampers with the aim of breaking, say, Windows, then someone,
> e.g.  Microsoft, might blacklist the shim.

In other words, if you chainload an intentionally corrupted copy of
Windows, you get blacklisted?  This sounds awfully like what I said
upthread.  Is this actually a real concern?  Greg seems quite
convinced that it isn't.