Received: by 10.213.65.68 with SMTP id h4csp943577imn;
        Wed, 4 Apr 2018 09:49:10 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+hU1v907+zRJrdtDsUWmoGkhaiCmeT5arBucFwe2gY63UPSXgapAWEPK/UJUZCbgK+L0NP
X-Received: by 10.99.163.9 with SMTP id s9mr12487426pge.187.1522860550542;
        Wed, 04 Apr 2018 09:49:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522860550; cv=none;
        d=google.com; s=arc-20160816;
        b=bXTF7PQH2n3963uwWq0flaC3cUAA10fPMGsN0mXB8gj5lZWfLX7KTSzSgT9Yx4ygTS
         MmDrORGVxIEpfXPbnYwF5Sl/I6eda9SnESV1RoyF31nPa4WzFM9VdQU9f4VBjNPcyArw
         JIeJINBvcDM1kZPNjSg1ZmxbzMNLElvedK7avVjVzFZfrwH6OW/LNMw+zh7RsN0gE3m2
         z2eJoItY9iRFGCyjdOAwwdOhpf0NDBIvmghoLiV+80/LfyyG7b8ErzBhKsC+3Tyxj8xt
         FNpFOYs05G/o9nIC6ixoydzbqW2sAkRxVzoEeq9nsekn+5MqHlnx1J/3c8bM3GNaqrL9
         Is9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:arc-authentication-results;
        bh=wU2lkAnaAJ5O08V3xIJoGeiHYmBkKhzC94uKfsKfNyU=;
        b=m9NuITeGBcj2qetUO6b8Qgv9IetgNq55IfUpa4xXsKC16+wT2OC1OPt3OhWfGT+AS6
         5O4B+tEq+ZNgwl6Y2hDmjAk2aedEOfpunhGzTmOF0tAS0VQ45GOnjk4p/fvcEti1wRKR
         JLYQPtfexELcFwxvsBf9Bs4TjgYBdShW3uH4PsAkruPhIqlXZmJL+NJkqozn3QFkgw1W
         /ycdByQu3Hnxq0ug+h4V/L2s2hWYnWQLb/+IkkTg9yaZ0uHCszsFetyYhnaLg3eM1Uy4
         tYNpY2mezOxmqSstp8/vAVn3xbBYpSzJVehtPYlceB0Fr5SVW5Ms6JdSCI6n0BDaIiAA
         ItWA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y11-v6si3420348plg.154.2018.04.04.09.48.56;
        Wed, 04 Apr 2018 09:49:10 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752517AbeDDQqe (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 12:46:34 -0400
Received: from mail-ot0-f195.google.com ([74.125.82.195]:38496 "EHLO
        mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752121AbeDDQqc (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 12:46:32 -0400
Received: by mail-ot0-f195.google.com with SMTP id o9-v6so24076692otj.5
        for <linux-kernel@vger.kernel.org>; Wed, 04 Apr 2018 09:46:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=wU2lkAnaAJ5O08V3xIJoGeiHYmBkKhzC94uKfsKfNyU=;
        b=CXp/a0hGUH91ZVAS27GHrNqX/ko8d8JscSm2k4Ug6jttXkGzkhA8OstsSgND61FLAj
         AFonvuPs6tIthYRcU1r94SUmyhP4Ic7yiQPCANjsQgC0UUJaIObVOCM/jOlSF0H2NahA
         OUInDSN0IJEoW8W/s0KWC2p6JsM64AXPBT5J7mAGTKTg3c7ZecVtUQbX07RbHSyqz3E4
         UIwi7TtNUAJTBRCYk+/jT2645IvCt8ohdOJXV+Hl1ndV8KgSrEvQ1IpfcKc7rlcOw5Si
         f4rPEBllc+ie9grJVPJcv2p0pbiZYlry/aGmw06J7Rsp5COKcqGxXo199Xq+yvr2vDGZ
         r8Ww==
X-Gm-Message-State: ALQs6tCk4DrO5ewcBi/JU5WbuZtKndWSdpcM7YoxZ2EHtR/VeH/g0yDA
        VwmnwXEjDYmYz0iW+Gs9dgTIB7LwAzzQOvUr7l8Nkg==
X-Received: by 2002:a9d:61ca:: with SMTP id h10-v6mr10860099otk.6.1522860391557;
 Wed, 04 Apr 2018 09:46:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.65.9 with HTTP; Wed, 4 Apr 2018 09:46:31 -0700 (PDT)
In-Reply-To: <CALCETrXwp1faWnqRJ5iLeo6bOOrRS_-L74_xnRAN1Md1YZW8Tg@mail.gmail.com>
References: <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com>
 <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
 <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
 <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com>
 <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com>
 <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
 <CA+55aFxgrh5eeG9MRSEsJtyL5yTe0TehZ=BS2josGJaLxoMMBQ@mail.gmail.com>
 <CACdnJutuBaE3RaDx0KM5vDF9Sinrp=3tG9csrS-H3eU-J7-Utw@mail.gmail.com>
 <24353.1522848817@warthog.procyon.org.uk> <20180404135251.GD16242@thunk.org>
 <CACdnJuuGRRUt-a3i89o906ka3RDOhs+_7tz_G8LTG8Jc0DXAyQ@mail.gmail.com> <CALCETrXwp1faWnqRJ5iLeo6bOOrRS_-L74_xnRAN1Md1YZW8Tg@mail.gmail.com>
From:   Justin Forbes <jforbes@redhat.com>
Date:   Wed, 4 Apr 2018 11:46:31 -0500
Message-ID: <CAFbkSA1BT6Ca7ZtcjvCubvtke07ctgMQVo25fcWY4ZTRLKw0pA@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Andy Lutomirski <luto@kernel.org>
Cc:     Matthew Garrett <mjg59@google.com>, "Ted Ts'o" <tytso@mit.edu>,
        David Howells <dhowells@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        James Morris <jmorris@namei.org>,
        Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux API <linux-api@vger.kernel.org>,
        Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 4, 2018 at 11:39 AM, Andy Lutomirski <luto@kernel.org> wrote:
> On Wed, Apr 4, 2018 at 9:22 AM, Matthew Garrett <mjg59@google.com> wrote:
>> On Wed, Apr 4, 2018 at 6:52 AM Theodore Y. Ts'o <tytso@mit.edu> wrote:
>>
>>> On Wed, Apr 04, 2018 at 02:33:37PM +0100, David Howells wrote:
>>> > Theodore Y. Ts'o <tytso@mit.edu> wrote:
>>> >
>>> > > Whoa.  Why doesn't lockdown prevent kexec?  Put another away, why
>>> > > isn't this a problem for people who are fearful that Linux could be
>>> > > used as part of a Windows boot virus in a Secure UEFI context?
>>> >
>>> > Lockdown mode restricts kexec to booting an authorised image (where the
>>> > authorisation may be by signature or by IMA).
>>
>>> If that's true, then Matthew's assertion that lockdown w/o secure boot
>>> is insecure goes away, no?
>>
>> If you don't have secure boot then an attacker with root can modify your
>> bootloader or kernel, and on next boot lockdown can be silently disabled.
>
> This has been rebutted over and over and over.  Secure boot is not the
> only verified boot mechanism in the world.  Other, better, much more
> auditable, and much simpler mechanisms have been around for a long,
> long time.
>
That is certainly the case, and one of the main reasons for the
secureboot patchset being split out and lockdown taking a different
name. The problem is, right now, secure boot is the only thing using
lockdown. I certainly wouldn't go through any effort to tie into it
with any other mechanism knowing that this patch set has been delayed
upstream for years. I would hope and expect that once lockdown is in
mainline, other verified boot mechanisms would leverage it as well.

>>> The fact that this Verified Boot on, lockdown off causes trouble
>>> points to a clear problem.   User owns the hardware they should have
>>> the right to defeat secureboot if they wish to.
>>
>> Which is why Shim allows you to disable validation if you prove physical
>> user presence.
>
> And that's a giant hack.  The actual feature should be that a user
> proves physical presence and thus disables lockdown *without*
> disabling verification.
>
> --Andy