Received: by 10.213.65.68 with SMTP id h4csp1122697imn; Wed, 4 Apr 2018 13:03:23 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/24MLre7qbEUHBR014iaqiPsqrghkQ6RkwL5pDryseISIImMjkITd26Td3pTd7PLZ1d25J X-Received: by 10.98.13.71 with SMTP id v68mr14923272pfi.69.1522872203165; Wed, 04 Apr 2018 13:03:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522872203; cv=none; d=google.com; s=arc-20160816; b=s/4INLIvIINKYVI+fW+k+YAmdzZfbsiYSkQys9zhs8MsW6/2Z8UE9AW9DCyRfoADMG /dru9isYR0DS+nLZLTEXSkvzuimczAM6OPQEIG0wbP2oN2uwqdT6y46mbKtC9gqhx6Rs RFrJrRzqUkgZQabozJ3zYq/97F309Rgb7d+m7bgee3kxj1RXgK3CGspQZWXRXBoAoqRv TZNBv0XJIpJzoaTjfIg1mDt188sc+H7k5rNYgSBFgrL8gqKWKuTfxBtVhLnQUPn7uNcf xKsuxO8ou1BtKWbEWnabDia3F+LEie+BqdjR3bDUPfMg/TggFPqOCMjvA6R7bZS+gWEW GXAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date :arc-authentication-results; bh=hP64wE3mSGfAqo5bFStTwAFzJ0ureAN2Kw4qBEUslnw=; b=W8M5a8XvJUFln6wCCBN2QVAwds9KfGUkWKRdzJvjriwSHokf9zu6T8Owk6H+JRT2iB RFRAdgZhRthWO5Ay9ViIRJfMYRejF4IrdcsYYbZiOb1uNjmO+aJPmZkr/ldkW7ZUSUss qbwR5Dq6wAEq90QYGG/F4QyaewjftJK79b28a99PV89aea7VBW4oetSh2GBzzs2F8Q1u 6F4XpmcrWAp1Abmu3X3/MqChUdII1FPH+R6GpXBNTWkjLZxj0yOHVlhPy51wUibnQjZq UCYqaV+uQrfxuUpb2RV8JnVmuPC/VvdIQUn4sQpe7/nU16aPEzkGK7oD1sqkrMwRTl6Q ZrNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 200si4198546pga.50.2018.04.04.13.03.06; Wed, 04 Apr 2018 13:03:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751780AbeDDUCA (ORCPT + 99 others); Wed, 4 Apr 2018 16:02:00 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:35229 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751301AbeDDUB6 (ORCPT ); Wed, 4 Apr 2018 16:01:58 -0400 Received: from p4fea5f09.dip0.t-ipconnect.de ([79.234.95.9] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1f3obM-0001db-BC; Wed, 04 Apr 2018 22:01:48 +0200 Date: Wed, 4 Apr 2018 22:01:47 +0200 (CEST) From: Thomas Gleixner To: Peter Jones cc: Andy Lutomirski , Matthew Garrett , David Howells , Ard Biesheuvel , James Morris , Alan Cox , Linus Torvalds , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot In-Reply-To: <20180404184255.exdrtpqnxlqme7tl@redhat.com> Message-ID: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <20180404184255.exdrtpqnxlqme7tl@redhat.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 4 Apr 2018, Peter Jones wrote: > That is to say, as a result of the way malware has been written, our way > of thinking about it is often that it's a way to build a boot loader for > a malicious kernel, so that's how we wind up talking about it. Are we > concerned with malware stealing your data? Yes, but Secure Boot is only > indirectly about that. It's primarily about denying the malware easy > mechanisms to build a persistence mechanism. The uid-0 != ring-0 aspect > is useful independent of Secure Boot, but Secure Boot without it falls > way short of accomplishing its goal. I think we can all agree that The uid-0 != ring-0 aspect is useful independent of Secure Boot There is probably resonable consensus about the second part of this sentence as well: but Secure Boot without it falls way short of accomplishing its goal. Now where the disagreement lies is the way how the uid/ring0 aspect is tied to secure boot, which makes it impossible to be useful independent of Secure Boot. So the real question is, how can we make 'lockdown' usable and useful without Secure Boot and at the same time not violate the constraints of the Secure Boot scenario. If we can agree on the above then I hope that we can focus on the technical problems instead of arguing in circles. Thanks, tglx