Received: by 10.213.65.68 with SMTP id h4csp934025imn; Wed, 4 Apr 2018 09:38:43 -0700 (PDT) X-Google-Smtp-Source: AIpwx497ylFxl+8/bxMwgwtJEvE3gbWRMM/OpwT5+0jzMcZeaSwp7UpvURfvV8+H0IgrDpD0uL2I X-Received: by 2002:a17:902:5609:: with SMTP id h9-v6mr19240368pli.121.1522859922981; Wed, 04 Apr 2018 09:38:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522859922; cv=none; d=google.com; s=arc-20160816; b=KwZbHDcC+CT1otoQoA1WwkCHUAPwpv4a98ywTNMn4na3rvz02lsjZTVywRXMwiT5MP Dg4tOyn2frZxrkikiGztA0vQPnklHfNfS/oj9mMuQ4JEBl+k0KETAqkgEXYCp+t1Os3U bfGSD8yOxmr3jpZF6xDZAUVcmEszzui7QhLPoqhQxkvqCIa1n+MNkpwnWjUvheo3kFwI QSDt1jjMBHO2Knea3LC7jDvLsy0bpx66V6RQOYQOjOc7zKAF/qQz5PogwtuzoEvn7jwI d4aYsO8UJRSDeXjMKJeCrZXftXT/ikkgqCJIs7dVfdv09BKOOnHnlKTZWZXSvtwki/ys FvyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=6zVkRxs2Y5XAGWMiMKrg2Nlt1/UeCzc9DktbYdoD4PI=; b=eXWMobgDtFTaGYpA8PzAu20eV/FUoZ2PaVnOvHrEVoWxkQmBL/9fBkwqXbNTWC1Wl4 hLA6FoZyJbJPqWXdiyHrS1s/7RtsOJ92bHHvHBEt55mkm3EbbSbV+D6wMqnMFQRBH2da hr56c3H31MCb8eptNQkTPzjer+flnGX1SiP1icwLooEwy5TOggNIEMZSqQ9EHyKTkPex trDg3qwJYmLb2L5M5pvTQZWIXJOmORhXWEtk/ccqVHqYcBmBCps8KR+6I14qH5EdOgMU uzov+wlmKDOGy4XpcBeV54jQNguedwFmUQ2Gg4iihsKZXbDsMcEnqUfL/0k/eYoZxUT3 McdA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y62si3871024pgb.728.2018.04.04.09.38.27; Wed, 04 Apr 2018 09:38:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752276AbeDDQhP (ORCPT + 99 others); Wed, 4 Apr 2018 12:37:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:54144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752012AbeDDQhM (ORCPT ); Wed, 4 Apr 2018 12:37:12 -0400 Received: from mail-io0-f171.google.com (mail-io0-f171.google.com [209.85.223.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A8FC921834 for ; Wed, 4 Apr 2018 16:37:11 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org A8FC921834 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-io0-f171.google.com with SMTP id p139so3061448iod.0 for ; Wed, 04 Apr 2018 09:37:11 -0700 (PDT) X-Gm-Message-State: ALQs6tBbspv+mUXkro8xxIpb+itXLrY4fepHeTRSVYN6YDfSdtg2qT2U qukAd2jVDrqQgLX4ESAEXA7fXkH3CfiF1CvflwpyZw== X-Received: by 10.107.20.213 with SMTP id 204mr17608374iou.239.1522859830754; Wed, 04 Apr 2018 09:37:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Wed, 4 Apr 2018 09:36:50 -0700 (PDT) In-Reply-To: <1119.1522858644@warthog.procyon.org.uk> References: <1119.1522858644@warthog.procyon.org.uk> From: Andy Lutomirski Date: Wed, 4 Apr 2018 09:36:50 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) To: David Howells Cc: Andy Lutomirski , Greg Kroah-Hartman , "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , Ard Biesheuvel , James Morris , Alan Cox , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 9:17 AM, David Howells wrote: > Andy Lutomirski wrote: > >> Since this thread has devolved horribly, I'm going to propose a solution. >> >> 1. Split the "lockdown" state into three levels: (please don't >> bikeshed about the names right now.) >> >> LOCKDOWN_NONE: normal behavior >> >> LOCKDOWN_PROTECT_INTEGREITY: kernel tries to keep root from writing to >> kernel memory >> >> LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY: kernel tries to keep root from >> reading or writing kernel memory. > > In theory, it's good idea, but in practice it's not as easy to implement as I > think you think. [...] so do your best. The whole lockdown patchset is a best-effort thing, not a "we did it and it's done" thing. > Note that /dev/mem can be used to access MMIO devices (I'm not sure about > /dev/kmem, though). Even reads through /dev/mem can do this. I'm not sure > whether that's sufficient to actually affect a modification, though. So turn it off in both modes. /dev/mem is basically obsolete anyway. Or restrict it to actual memory, or whatever. > >> 2. The kexec protocol gets a new flag min_lockdown_level. A kexeced >> kernel will boot with at least that lockdown level regardless of its >> configuration. kexec sets min_lockdown_level to the running kernels' >> lockdown_level. Some future API could allow kexec with a higher >> min_lockdown_level. An even fancier future API could allow a >> LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY kernel to kexec with >> min_lockdown_level == LOCKDOWN_PROTECT_INTEGRITY if there's some >> mechanism that guarantees that memory gets zeroed in the process. > > Note that on x86 we already have an allocated flag for passing the secure boot > flag from kexec/bootloader to the kernel being booted, and what you're > proposing ought to be redundant. See boot_params::secure_boot. Incorrect. Linus is rejecting the idea that secure boot implies lockdown. I strongly agree with him. I also think that trying to make security decisions in a kexeced kernel based on whether the previous kernel was secure booted is a bad idea, so I'm suggesting a new feature. I don't really care what value is passed in boot_params::secure_boot for a kexeced kernel, but I think it should not be used for lockdown. So I stand by my proposal. > >> 3. All the bpf and tracing stuf, etc, gets changed so it only takes >> effect when LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY is set. > > Uh, no. bpf, for example, can be used to modify kernel memory. Really? If that is, in fact, true, then turn *that* feature off when LOCKDOWN_PROTECT_INTEGRITY is set. >> This removes a giant annoyance on distro kernels that are likely to want to >> enable LOCKDOWN_PROTECT_INTEGRITY. > > *shrug* Distros have been running with the full set for a while. I haven't > seen many complaints. As Linus noted, that's because a lot of users who care have already turned off secure boot. Once this whole thing gets sorted out, the hackish dependence of lockdown and secure boot can go away, so it's time to think about making lockdown less annoying. > >> If you load a key into the kernel, and you want to keep that key safe, you >> can enable LOCKDOWN_PROTECT_INTEGRITY_AND_SECRECY at that time. After all, >> if root is compromised before that, root can just remember a copu of the key >> in user memory or email it to someone. > > If your key needs to be truly protected, it should never be seen unencrypted > in userspace, rather it should be decrypted in the TPM and then retained in > kernel memory only. You keep making claims like this with no justification whatsoever. > >> ... >> 6. There's a way to *decrease* the lockdown level below the configured >> value. (This ability itself may be gated by a config option.) >> Choices include a UEFI protected variable, > > By turning secure boot off, maybe? No. > >> an authenticated flag passed by the bootloader, > > Authenticated how? How do you stop the running system from passing this to > the bootloader next time it is run? I guess you're thinking of a bootloader > "command" that can only be passed by someone sat at a keyboard and never read > from the config file. What I meant was some channel that the bootloader can use to securely communicate options to the running kernel. The concept of "secure" here is obviously debatable. Something in boot_params would work. Some specially namespaced command line option could work. Some whole new "authenticated data from bootloader" block could work. > >> and even just some special flag in the boot handoff protocol. > > We already have that with secure boot. No. That has been rejected over and over in this thread. I'm proposing an alternative here. > >> 7. kexec does not attempt to think about "secure boot" at all. >> They're totally separate. > > Except that they're not. The boot_params flag must be set to something by > kexec on x86 for transfer along the chain. How about setting it unconditionally to false? >> What do you all think? I think that this checks basically all the >> boxes, is a lot more user friendly than the current patchset or what >> distros do, and actually makes some sense from a security perspective. > > You haven't really defined well what's allowed in _INTEGRITY mode verses > _SECRECY mode. _INTEGRITY means "make a best effort to keep root from writing kernel memory, talking directly to non-IOMMU-protected devices, writing MSRs, or otherwise corrupting state". _INTEGRITY_AND_SECRECY means "do all that and also make a best effort to keep root from reading kernel memory".