Received: by 10.213.65.68 with SMTP id h4csp905376imn; Wed, 4 Apr 2018 09:11:05 -0700 (PDT) X-Google-Smtp-Source: AIpwx48xWuEPV5y9EbQ60J6dksMQIcHPARmSYml+28z40vBaHKk8vTJuGoA38dRoeOhtUL51z8tr X-Received: by 2002:a17:902:7045:: with SMTP id h5-v6mr19222816plt.1.1522858265675; Wed, 04 Apr 2018 09:11:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522858265; cv=none; d=google.com; s=arc-20160816; b=FYhdx72e731S/dkMcDrpgZlokgNu/NixArgnubjN9/P/mYfHhbbYgFcQ46T+2Et89w qhY3ZgLlmbG/cswqC4Ng/qreaMrxWUF2kA03qkq6VHWLX2fhLfUgOSvrEI4EGd3dMBfR 7URhdECqWEPo6NfCcse9BIUem9nOzEwsDwyGLpK9nCh+qe65MDU68N91OeP/34kNmFix nCyeXqoYZkf4QkQrRFRhJs4C7uBLh0RuN66xzRsujt4NBnUjj+wwG7enkiY9iAcqAM0M k3GAKn6g4blaprItp1Fz3kmTVtIHYxto/+9Q3VN60gumihIUNy+kNHdp7PCp/jxfm3CM yLRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=PBZJ/p0Az4yxgiBHc0r4AP7tPlXcB6wNrTPxabzq4JI=; b=wOOvj3i6giap+UDS5upUvi9/H04Kvw+hwUjWPX+aXXPkJiRuvckP2iNu6WmJ6VeOgi WCIqlcwWJh8SDwF3E/HBWUUeITvAk8c4j4u4+sZHasE2aaG7XLVj9ZhNOBruBR7irp6r owdSkU/SC5SuT0fD2ceC4c++Dw8PbM8/0QxTbjqH9N3RfIr9qv1XhMZjHRnuxIJDfr35 vrhAOjK8WXilJlLmRVB1fY31f8yYKhmjyLKXXkSA4qwLnYDO3m52OvrcA/fnWO3ock6d cNqm2IV54Ozc8XE+U4pUYSaNfxALW8dmGGtPeOIxzVKo5NVzIC+9PUiM6O1Mi19qk0m9 Nf5A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IZSW6Uyp; dkim=fail header.i=@linux-foundation.org header.s=google header.b=PJ1jUiCI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k76si4392540pfb.146.2018.04.04.09.10.51; Wed, 04 Apr 2018 09:11:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=IZSW6Uyp; dkim=fail header.i=@linux-foundation.org header.s=google header.b=PJ1jUiCI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752100AbeDDQJJ (ORCPT + 99 others); Wed, 4 Apr 2018 12:09:09 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:40474 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751648AbeDDQJF (ORCPT ); Wed, 4 Apr 2018 12:09:05 -0400 Received: by mail-io0-f193.google.com with SMTP id e79so26999823ioi.7; Wed, 04 Apr 2018 09:09:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=PBZJ/p0Az4yxgiBHc0r4AP7tPlXcB6wNrTPxabzq4JI=; b=IZSW6UypcUfo1n7lFULowpDw4ixn8giFZ9r9+7hiMXJkT7E7HKEWDMJ7+HwQ90DfBP iv6wD0aEYVTzqJ16Md0P2sAwDjr9eZM9Y01o6Nz7Voe96+eoYaVcn7U2GxqE8kynMVy0 xdNpAj+cu9+XXFdSrPdEn52MTUrxiK5lrUTS9YYApP5XAxjkW+R4ANBnZabPVqKhIqhQ umBHfZHDUoQRVyWDKCk3xRMx1OCn1xhDY/pYZ8gOdkbtZ6P28MUb7pq9ip6TuTgjuMS1 DyvFmy2M6g9mmrbw5yRg3VgeDF3d5aOny7ONO6t717Z2vu5e+ZZ+EJ5uYYoVGCaeE7c5 yVBQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=PBZJ/p0Az4yxgiBHc0r4AP7tPlXcB6wNrTPxabzq4JI=; b=PJ1jUiCIBHRjyAXptf05bdFNGcYTkps2u2xqKxBxesg3M9/UqU4axuD7NicvOl37ev o+9phXPuGAqLGyuFnSUmHV8O/BA4OrhPg+iAHN3BHtL2VxNrjmTyzdmKHvxRAbqLNcew OoW1AcCdG5AWAvma5DL+haJ4EvBDaNM4IDt2k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=PBZJ/p0Az4yxgiBHc0r4AP7tPlXcB6wNrTPxabzq4JI=; b=oCNY3ckH8UO22N4gHbz/oCcIpoFbTavLTNep4CnXBH2g5urAGPWoSpHXFusluPwDfk QtWRWhA7LWHz+Gwub/wv3FFmBytHT9KM3o4S64070HLjcTEodbZTX+GXjbI5zC1UGlTI Th3u7JAPpysKhx+7IWUh55DxbrWSuYyq5eZAauilAhVjGkSfXCF4MmOP4ryB2rmEI1jw mB9BvRMz0FRu6gZXAdP6NTB5xNnzrNE6/JES1nWSqoNo6er5ZDUTetm2bB+dPVH9OtET oXr8fqis/AclnChGN1qv5GuHiSHo+IsL6f4O1AmM1vuLZRdsykcXfB0/ibZqPHNTSjtY Yy7Q== X-Gm-Message-State: ALQs6tCo9dchH0kYaUTUsdy//T3uzx2BdeqAXe4JLLUkBq24Ob/cQ7Zb Wu9tJ/RnqbE/gK26v+k783W+1I/lzBPjElXjZ1g= X-Received: by 10.107.12.201 with SMTP id 70mr17076362iom.48.1522858144723; Wed, 04 Apr 2018 09:09:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Wed, 4 Apr 2018 09:09:03 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Linus Torvalds Date: Wed, 4 Apr 2018 09:09:03 -0700 X-Google-Sender-Auth: vnhh4rGelS2UOA47X8MDX8jg0VU Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Andrew Lutomirski , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 3, 2018 at 9:30 PM, Matthew Garrett wrote: > > Bear in mind that I'm talking about defaults here Mattyhew, I really want you to look yourself in the mirror. Those defaults are really horrible defautls for real technical reasons. You asked me why when I questioned this, but then when I replied, you entirely ignored it. So let me repeat: the defaults are *horrible*. They are horrible for a very simple reason: kernel behavior changes that depend on some subtle boot difference are truly nasty to debug, and nasty to get coverage for. And this "subtle boot difference" is really bad because it's a difference that has a particularly bad pattern: pretty much not a single mainline kernel developer will have secure boot enabled, exactly because it's so inconvenient for testing. So what does that mean? It means that the default is *actively* bad for kernel development. It means that the people who do kernel development will not be testing the behavior that "normal" users will actually see. If you do not see why that is a HORRIBLY BAD THING, I don't know what to say. Seriously. It's a nasty nasty default behavior. It's absolutely disastrously wrong. And then when people call you out on this bad linkage of this feature with secure boot, you spent a *LOT* of time being dishonest about it. Instead of answeing a simple technical question, you did just about everything you could to avoid answering it. You initially turned the question back into a "Why would you want to?" rather than just answering. Then you spent a whole lot of time coming up with completely wrong excuses that had no actual technical reason for them. And even now, you're trying to ignore the question, and the REASON for the question. See above: the default is really horrendously bad, and is just about the *worst* default you could ever pick from a kernel development angle. So when a kernel developer - both me and Andy - ask you about the reason for that HORRIBLY BAD default, then you had better stop dancing around the issue, and be honesy. Instead, you bring up complete red herrings: > If a user has a configuration where you're able to verify that userspace > has some degree of protection (eg, disk encryption keys are in the TPM and > won't unseal if someone's switched out the kernel) then it's reasonable for > userland (or a kernel command line option) to enable the functionality. This line of arguyment of yours ends up STILL being complete and utter garbage. There is not a single shred of evidence that there is some kind of "reasonable to enable the functionality" based on completely unrelated matters. See above on why such stupid linkages are a bad bad idea. Absolutely *ANY* time you make that decision silently for a user, you will just be doing the wrong thing. You will do the wrong thing for security, but equally importantly, you will be doing the wrong thing just for *development* and *test coverage*. > What I'm afraid of is this turning into a "security" feature that ends up > being circumvented in most scenarios where it's currently deployed - eg, > module signatures are mostly worthless in the non-lockdown case because you > can just grab the sig_enforce symbol address and then kexec a preamble that > flips it back to N regardless of the kernel config. Honestyly, all of your arguments are made up shit. This argument, for example, is just a complete red herring. Do you want to protect against somebody flipping "sig_enforce"? Makes perfect sense to me. Then WHY is that not just a config option for extra hardening? Seriously. I'd use it. I have never *ever* felt the need to switch "sig_enforce" off, and I always build with MODULE_SIG_FORCE and MODULE_SIG_ALL. Getting rid of that switch entirely for security reasons sounds just _fine_ to me. So you use these *stupid* things as "arguments" for why you think you want to do something. But you're putting the cart before the horse: you have a particular end result you want to get to, and then you make up arguments for why you want to get there. Seriously, go back to that coverage and testing issue. Go back to the *fundamental* technical issue that we want kernel developers to actually *test* the code that users are running. *Gasp*. Yeah, I know, it's a completely radical idea, but it's true. Having developers test and run the code actual real humans are using is a truly revolutionary concept in security too. > I'm making this argument from the perspective of "What should the kernel do > when it has no additional information". And I'm telling you that you're ignoring the fact that you picked a truly horrendously shitty default. And then you spent a *lot* of time giving misleading and bad information about why you picked that shitty default, and instead just questioning the people who asked you an actual and really simply technical question. Linus