Received: by 10.213.65.68 with SMTP id h4csp936149imn; Wed, 4 Apr 2018 09:41:01 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/MspCDf2+UdtZq9SXnI+eakeAqRkl48wCN4VudAfbJLvnF5PYQxsiB0RSlfCxZrF3AAnOq X-Received: by 10.98.102.131 with SMTP id s3mr14289226pfj.89.1522860061931; Wed, 04 Apr 2018 09:41:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522860061; cv=none; d=google.com; s=arc-20160816; b=ePXJNTfOR62aYmh4D1kReGyMo3iX2AQk8pqrYXFulPGvd3/qj20r4Gk+Y6sr/T8grD ymP5ScoAdAnaAh3LSeJsMtyybnWml2fVhrVkURo1AoiD81AxfJnCZnXehHcjDBDu8wsT OfCPQGPai6X5lcwYxsbVrPLClE4Y82D6O2sKhDZVdh9mS9qplbudZgGRA0vMD1yUN/+2 GNPFtwswyzvDmWp5k1mi39F5gTmkr0jiWbiuzEs77no+ypnPNRWLGnUt27c7ntWPqwAu CSijhqZuXLdXOe2pQ8MEXZuIGQ9de9slQWtCvi9YkZ/O0QBQZ4tSd0uXCskfO+rtvAEE 0LtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dmarc-filter :arc-authentication-results; bh=jPuUa95fZLlBHB6IKZalBDlfSOkB1kcXdx2Hhtr9H6g=; b=Kwb2keb9TYMnHF4EWtihlDefiqy1HYtWIMrBRgZh7hq4lds9LBaR5uq98w2gDcoy6W Rf6BfrvUcJlqfzCa8tWl94RSx2odYFJXGCZ6fRMHSuDk8AgAi/DzO0roFyFSrenkigTM QPTcrLoiVRSC6IQGWBCuMLF9Slm9rvVCmS6nA3YL3EaLgLKHF3UQ8lRrFdtdx6l6xdpa RRriAT6eBNcJxFeSFy/L9+z8Gb3Qd+lX4cnJIoxu85HqcJC6JspXSxGOgq35uco7fvka 7lPIrfWvYntBeHajGegrd215AlWqH0+BRcuPM0LM5mLJCForaDsOWgxssL0egvm2Dcv/ Qmeg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n2si3924285pgs.500.2018.04.04.09.40.47; Wed, 04 Apr 2018 09:41:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752475AbeDDQjd (ORCPT + 99 others); Wed, 4 Apr 2018 12:39:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:54686 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752394AbeDDQja (ORCPT ); Wed, 4 Apr 2018 12:39:30 -0400 Received: from mail-it0-f41.google.com (mail-it0-f41.google.com [209.85.214.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C819C21842 for ; Wed, 4 Apr 2018 16:39:29 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C819C21842 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=luto@kernel.org Received: by mail-it0-f41.google.com with SMTP id e98-v6so28346101itd.4 for ; Wed, 04 Apr 2018 09:39:29 -0700 (PDT) X-Gm-Message-State: ALQs6tAvg7/tYFPGY85YrxVBa0u6WrONJAX42+8b0zkwDWq3LHIa0DmQ hpCC0Zu6HuUbjP1XIbeQmIZngd/J9I5vqC/HBDADDA== X-Received: by 2002:a24:5bd5:: with SMTP id g204-v6mr10368633itb.55.1522859968755; Wed, 04 Apr 2018 09:39:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.2.137.70 with HTTP; Wed, 4 Apr 2018 09:39:08 -0700 (PDT) In-Reply-To: References: <24353.1522848817@warthog.procyon.org.uk> <20180404135251.GD16242@thunk.org> From: Andy Lutomirski Date: Wed, 4 Apr 2018 09:39:08 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: "Ted Ts'o" , David Howells , Linus Torvalds , Andrew Lutomirski , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 9:22 AM, Matthew Garrett wrote: > On Wed, Apr 4, 2018 at 6:52 AM Theodore Y. Ts'o wrote: > >> On Wed, Apr 04, 2018 at 02:33:37PM +0100, David Howells wrote: >> > Theodore Y. Ts'o wrote: >> > >> > > Whoa. Why doesn't lockdown prevent kexec? Put another away, why >> > > isn't this a problem for people who are fearful that Linux could be >> > > used as part of a Windows boot virus in a Secure UEFI context? >> > >> > Lockdown mode restricts kexec to booting an authorised image (where the >> > authorisation may be by signature or by IMA). > >> If that's true, then Matthew's assertion that lockdown w/o secure boot >> is insecure goes away, no? > > If you don't have secure boot then an attacker with root can modify your > bootloader or kernel, and on next boot lockdown can be silently disabled. This has been rebutted over and over and over. Secure boot is not the only verified boot mechanism in the world. Other, better, much more auditable, and much simpler mechanisms have been around for a long, long time. >> The fact that this Verified Boot on, lockdown off causes trouble >> points to a clear problem. User owns the hardware they should have >> the right to defeat secureboot if they wish to. > > Which is why Shim allows you to disable validation if you prove physical > user presence. And that's a giant hack. The actual feature should be that a user proves physical presence and thus disables lockdown *without* disabling verification. --Andy