Received: by 10.213.65.68 with SMTP id h4csp920675imn; Wed, 4 Apr 2018 09:25:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+TUCXSDsoQgT9d8f5awDvnR/Q9vG+62odsNLFGxIBFrFAAvZsvIZwvevBFtIxhMwJLefBS X-Received: by 2002:a17:902:9892:: with SMTP id s18-v6mr3044798plp.95.1522859156784; Wed, 04 Apr 2018 09:25:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522859156; cv=none; d=google.com; s=arc-20160816; b=Q8/fqFIxyT7fqzrebY54fkU9w1U0x9VKyJzp2VVGcHu2Pz45kh+NVGA2g9opCv+Z3x AFsrrWR52bGPwZVZgLQURJ/mFigLL6DkXeRtXNYXFo6LWvJv0NSo08ZWCZJGh87W8vNe nI66jdiG9DnQonJPv2H/SFetUShRWgFkKRg7RrXqPLfcTsZztJ9z3FfoJT0GpvXkW2J4 VcTWVlPmi6s3XX5nhwN38w9Chy2XV0l3MCvnUAk7a0v+F1G7r0LzlyGJHgAqZEWjIp2u YhgmYVNj/2hzPgtmNNdqkY7ep72mqfedGpPK2XPiUy+wTnFeaMhfZUGPVY9zSKneDFKl 0NzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Esia312wTJ1gP46yobj/3lR8nsUsnPlf58IPfH+LkKo=; b=urUKtKM2A856MUcPexT2ivl/eJVfyJIkcdbZQOICpeFw4hqD1maxU7pNVPipP1irfS SaSUlBKI7XpB1+sQF2+/iv2PGMWKQEtNUbbYD5wu36tZZRtjzZuYhlmpTyGSC514i8p3 uTf6F0/AY4z5b7xnk0g8Rad3KzcpGOP62PGoL+UE6E8PGy22CfDDzhCZo+00c4Dzv3wG Skgw/Ba+twEHzLkmkt4gMNOPcGfxGOA9Ux0HSjllrHOPgiIVXGf5iZAayiJcOsLKTKKi agcPWGzIu+UUde48d6rrgAiXQjQSTIKiE/4gIVxP1f+5iGabrypWHkLN2nhpduZa9EOy 8ZaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=St77MAmZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i3-v6si3370994pld.241.2018.04.04.09.25.42; Wed, 04 Apr 2018 09:25:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=St77MAmZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752297AbeDDQXw (ORCPT + 99 others); Wed, 4 Apr 2018 12:23:52 -0400 Received: from mail-oi0-f65.google.com ([209.85.218.65]:40899 "EHLO mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752014AbeDDQXt (ORCPT ); Wed, 4 Apr 2018 12:23:49 -0400 Received: by mail-oi0-f65.google.com with SMTP id x9-v6so19771898oig.7 for ; Wed, 04 Apr 2018 09:23:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Esia312wTJ1gP46yobj/3lR8nsUsnPlf58IPfH+LkKo=; b=St77MAmZFwAwK5JxHmyi8cfVNZLEauc3ORbF9Gcp4+pGhnz2B1e7Q0VN5QMvpUOkfG r9Bj6iiKhwEiw/00a6wg1hC4qEWzKelUbKwqDLmTxXPIX9RL/nW/eUZbYjFWy8HX1KJL f1y2aEfgp0LlFGnO968yXc1TiNbGakZ3WkUvas+5uZAaTYmN6dexPsNSDr/OYWAlpkpj K8FMvrZkXYw9TuE6d+L/MuxC6fg0r8B4LHw+/okRiErrQkexSvs+Z3Hxx2vtA4W5AJ2a vTXTh6wgvAEWq7Hg3iWmwcmv014eGGB8o3ds+FGMCqE0P0PBSRqtGAYslyy7aSqmWmgf 2HXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Esia312wTJ1gP46yobj/3lR8nsUsnPlf58IPfH+LkKo=; b=OAA1fu5AAu3ZZ/LtHRaiXgCci4Wc7tGh/JLgMOLbCxpUitulGPTPb1dq5ABZGEDo7T mstjyWfF8gerf/uowFcqVX4NBbx9p/s+79c5VE/sfmsAD0aUxy9SXqP96oBGbGt/XhzU C6nHseyYSQuF07HlbAHT4egWz681NGGgKjJghOS30p2oBXW7juo0AVsGcO0cVMfAFs6u Bldti7a7VRIX2j7K0qDUUcc+irnrVzrCBJ9GJObdt8VwML2RNhBXN7y6TA8psHlHZjxt OxzlhAJztzYcxtp8RJH6o95Zh01Q0aPJK4GhK0SmeQbShGzF67W55Bjt8d9K3fBVJDU9 kRUA== X-Gm-Message-State: ALQs6tAjXdYJ7Y8/S3YknzmlvsTfrA1PzIxV+6+b3JLcKkaPMCqUPG2E z+BUCcosbyDMNtYhV64503hg6a5rYTFUXR6T7cWccA== X-Received: by 2002:aca:b3d4:: with SMTP id c203-v6mr11061850oif.91.1522859029042; Wed, 04 Apr 2018 09:23:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.73.133 with HTTP; Wed, 4 Apr 2018 09:23:28 -0700 (PDT) In-Reply-To: <1119.1522858644@warthog.procyon.org.uk> References: <1119.1522858644@warthog.procyon.org.uk> From: Jann Horn Date: Wed, 4 Apr 2018 18:23:28 +0200 Message-ID: Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) To: David Howells , Alexei Starovoitov Cc: Andy Lutomirski , Greg Kroah-Hartman , "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , Ard Biesheuvel , James Morris , Alan Cox , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org +ast@kernel.org On Wed, Apr 4, 2018 at 6:17 PM, David Howells wrote: > Andy Lutomirski wrote: [...] >> 3. All the bpf and tracing stuf, etc, gets changed so it only takes >> effect when LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY is set. > > Uh, no. bpf, for example, can be used to modify kernel memory. I'm pretty sure bpf isn't supposed to be able to modify arbitrary kernel memory. AFAIU if you can use BPF to write to arbitrary kernel memory, that's a bug; with CAP_SYS_ADMIN, you can read from userspace, write to userspace, and read from kernelspace, but you shouldn't be able to write to kernelspace.