Received: by 10.213.65.68 with SMTP id h4csp1326119imn;
        Wed, 4 Apr 2018 17:22:31 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/Au20FFwk7bXthjj7+MViPVadKHq4OlnaYIdugHTiAxwkJXrMq1GnXyI2kB/xByW4pwAer
X-Received: by 10.99.109.136 with SMTP id i130mr13400897pgc.380.1522887751107;
        Wed, 04 Apr 2018 17:22:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522887751; cv=none;
        d=google.com; s=arc-20160816;
        b=iBInOHDXeKnb75SnqH0YvpTxYKMLaah4gyVbFeiGN8QcLBCYPqIC20CwbN4havqzXT
         HZ7hqxWI0W1H66keP4R+zyn+6zKPPha582fJ4rerYqT47C4L4R8T7rLejaOLOEcu++cZ
         d96fJIltGPpYwqjroy5I5wPAWWlfE9kvvqUPt0BYPpBeg78Xn3LJezn7DJb5c1K9aifc
         Zpd9VqKAgq6EYhPwMQLONObe4QO5KLVOIKDauRQf4w2XK0m+vRuoXsssLaP0W8B0zTGx
         TxOj/KLJG0gDClFozGdXOkC5ywwer+WjBCrJ7rsU2pVxhH2G85g9G/7ET8CegGmvJyAU
         NMvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=;
        b=I0dbU2d1hn5cpyyn8igluIu9kRylayAjgo8ZUKOSmwBYK4uNhHFw2594jlZvyw15oe
         qNEPwXK6dfMLdAQxacEb9TxEQK1Bp+H2gJAiJO4mbegw1W+Xv5PJEULmaMH8nnlt2fJM
         W7uSGIdCK8Udp9udkCUQlz8GlbrilxJkDP3WZWwCk/bPWI7MBZd5exFlPHUdMmfBq+vv
         VxnBLlXLPCVIHpc7fWR7xV5Q3k0Wy4WUaDN7LFw58PyRlZKMwtHfiNzEOVa37njoQZtx
         0mND4cZ5HUnSZPg5AwAIqQeuga6tAAxyL9r+++Dg90BtsJ8TWpPC5g2f5lAuaCPJMYaG
         z0LQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=WHoLdRFw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a84si5065884pfl.154.2018.04.04.17.22.17;
        Wed, 04 Apr 2018 17:22:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=WHoLdRFw;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752677AbeDEAUw (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Wed, 4 Apr 2018 20:20:52 -0400
Received: from mail-io0-f179.google.com ([209.85.223.179]:34503 "EHLO
        mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752641AbeDEAUs (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 4 Apr 2018 20:20:48 -0400
Received: by mail-io0-f179.google.com with SMTP id d6so26498023iog.1
        for <linux-kernel@vger.kernel.org>; Wed, 04 Apr 2018 17:20:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=;
        b=WHoLdRFwT0mblpM6CmjBwbViuXimMgQxRQeS7eX2d6T2RjSlJ8lu5lYe1jfGR5TEpq
         S2D8EUBaacr6IFLSRqoa4IT89wMZhqf4WbM3btGSXx9NbrGNPfBY9O01VfbHyvSWM+nw
         EMQocSLL0h8mkUOtyS9ByTgMOsD3xB80qW1PEEX5jdw7VUWb+4TQ7lBS5/iqmQyjXRl9
         8Cz1c9fwmRO6R83vZy36YbRGHQsjg5oLHcFmL7Fe1J0Ds5ncasrwMsQzcCC/LH0dTS4U
         EJUrE+VQpNgYwmOQFMZDpb/pw+fpXTsB2RQ4F9sCAuFaSNuvy8Q2ZTcOBWAd0S81HFM5
         5oKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=;
        b=AXuO5n83ULIJT+M8RhNs+ObVdwdDOxeS7tO8WOLfBVyhM9toVs7hbHnifGzoV3fgX8
         qeoxSlxQ4qrp0/hM+wT005Wo92BTrbOVpNHkC3SgiV4sv+nI0Z2V6lDdsBoFTRVMiY50
         J+vC2EbbbYIx7ed7+hONV6630ofV9OxjaIh+yaXLjhBvA+lar2GN7fMFfc0qz6fhGuqw
         bLu+a7shT442G2rFtdoAfgNcgIdHnSkA4cBzxnCjDDgIi3YzzvTKwr4HAoAraUmZFB9+
         HHCNOEge/rN5/X7pf/ZmAQ4e8ksd3AYlytVVSJ/1KC7cq7WfOyFpZyVeYMT7mOhU7oNR
         wZ1A==
X-Gm-Message-State: ALQs6tCTTzsG4ZLryx35cFtTtCRF6G1sercRhjNIgy3u5vzgXIGLZ3Ad
        qxEr8xNZe2de33WqtXvnW8PjHpXW1fhLd9xIQjV6ug==
X-Received: by 10.107.180.68 with SMTP id d65mr1097104iof.244.1522887647476;
 Wed, 04 Apr 2018 17:20:47 -0700 (PDT)
MIME-Version: 1.0
References: <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com>
 <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com>
 <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com>
 <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com>
 <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com>
 <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com>
 <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com>
 <CA+55aFxgrh5eeG9MRSEsJtyL5yTe0TehZ=BS2josGJaLxoMMBQ@mail.gmail.com>
 <CACdnJutuBaE3RaDx0KM5vDF9Sinrp=3tG9csrS-H3eU-J7-Utw@mail.gmail.com>
 <24353.1522848817@warthog.procyon.org.uk> <20180404135251.GD16242@thunk.org>
 <CACdnJuuGRRUt-a3i89o906ka3RDOhs+_7tz_G8LTG8Jc0DXAyQ@mail.gmail.com> <CANA3KFWLCfe=KYPBhKj+g698=frt4E-u-Hq2--5jFkHnkNoBnA@mail.gmail.com>
In-Reply-To: <CANA3KFWLCfe=KYPBhKj+g698=frt4E-u-Hq2--5jFkHnkNoBnA@mail.gmail.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Thu, 05 Apr 2018 00:20:36 +0000
Message-ID: <CACdnJut330=gdaSOR8VdLJeNEiL7uupUMZYqVYy5YoE1J-w2vQ@mail.gmail.com>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
To:     Peter Dolding <oiaohm@gmail.com>
Cc:     "Theodore Ts'o" <tytso@mit.edu>,
        David Howells <dhowells@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        luto@kernel.org, Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        jmorris@namei.org, Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com,
        LSM List <linux-security-module@vger.kernel.org>,
        linux-api@vger.kernel.org, Kees Cook <keescook@chromium.org>,
        linux-efi <linux-efi@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 4, 2018 at 5:05 PM Peter Dolding <oiaohm@gmail.com> wrote:

> > If you don't have secure boot then an attacker with root can modify your
> > bootloader or kernel, and on next boot lockdown can be silently
disabled.

> Stop being narrow minded you don't need secure boot to protect
> bootloader or kernel the classic is only boot from read only media.

And if you use another protected path you can set the appropriate bootparam
flag or pass the appropriate kernel command line argument and gain the same
functionality.