Received: by 10.213.65.68 with SMTP id h4csp1326119imn; Wed, 4 Apr 2018 17:22:31 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/Au20FFwk7bXthjj7+MViPVadKHq4OlnaYIdugHTiAxwkJXrMq1GnXyI2kB/xByW4pwAer X-Received: by 10.99.109.136 with SMTP id i130mr13400897pgc.380.1522887751107; Wed, 04 Apr 2018 17:22:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522887751; cv=none; d=google.com; s=arc-20160816; b=iBInOHDXeKnb75SnqH0YvpTxYKMLaah4gyVbFeiGN8QcLBCYPqIC20CwbN4havqzXT HZ7hqxWI0W1H66keP4R+zyn+6zKPPha582fJ4rerYqT47C4L4R8T7rLejaOLOEcu++cZ d96fJIltGPpYwqjroy5I5wPAWWlfE9kvvqUPt0BYPpBeg78Xn3LJezn7DJb5c1K9aifc Zpd9VqKAgq6EYhPwMQLONObe4QO5KLVOIKDauRQf4w2XK0m+vRuoXsssLaP0W8B0zTGx TxOj/KLJG0gDClFozGdXOkC5ywwer+WjBCrJ7rsU2pVxhH2G85g9G/7ET8CegGmvJyAU NMvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=; b=I0dbU2d1hn5cpyyn8igluIu9kRylayAjgo8ZUKOSmwBYK4uNhHFw2594jlZvyw15oe qNEPwXK6dfMLdAQxacEb9TxEQK1Bp+H2gJAiJO4mbegw1W+Xv5PJEULmaMH8nnlt2fJM W7uSGIdCK8Udp9udkCUQlz8GlbrilxJkDP3WZWwCk/bPWI7MBZd5exFlPHUdMmfBq+vv VxnBLlXLPCVIHpc7fWR7xV5Q3k0Wy4WUaDN7LFw58PyRlZKMwtHfiNzEOVa37njoQZtx 0mND4cZ5HUnSZPg5AwAIqQeuga6tAAxyL9r+++Dg90BtsJ8TWpPC5g2f5lAuaCPJMYaG z0LQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WHoLdRFw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a84si5065884pfl.154.2018.04.04.17.22.17; Wed, 04 Apr 2018 17:22:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=WHoLdRFw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752677AbeDEAUw (ORCPT + 99 others); Wed, 4 Apr 2018 20:20:52 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:34503 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752641AbeDEAUs (ORCPT ); Wed, 4 Apr 2018 20:20:48 -0400 Received: by mail-io0-f179.google.com with SMTP id d6so26498023iog.1 for ; Wed, 04 Apr 2018 17:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=; b=WHoLdRFwT0mblpM6CmjBwbViuXimMgQxRQeS7eX2d6T2RjSlJ8lu5lYe1jfGR5TEpq S2D8EUBaacr6IFLSRqoa4IT89wMZhqf4WbM3btGSXx9NbrGNPfBY9O01VfbHyvSWM+nw EMQocSLL0h8mkUOtyS9ByTgMOsD3xB80qW1PEEX5jdw7VUWb+4TQ7lBS5/iqmQyjXRl9 8Cz1c9fwmRO6R83vZy36YbRGHQsjg5oLHcFmL7Fe1J0Ds5ncasrwMsQzcCC/LH0dTS4U EJUrE+VQpNgYwmOQFMZDpb/pw+fpXTsB2RQ4F9sCAuFaSNuvy8Q2ZTcOBWAd0S81HFM5 5oKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ZpFXepEBfPI8rqqbXBT29fSQY96/rnua5VWyBSAQLg4=; b=AXuO5n83ULIJT+M8RhNs+ObVdwdDOxeS7tO8WOLfBVyhM9toVs7hbHnifGzoV3fgX8 qeoxSlxQ4qrp0/hM+wT005Wo92BTrbOVpNHkC3SgiV4sv+nI0Z2V6lDdsBoFTRVMiY50 J+vC2EbbbYIx7ed7+hONV6630ofV9OxjaIh+yaXLjhBvA+lar2GN7fMFfc0qz6fhGuqw bLu+a7shT442G2rFtdoAfgNcgIdHnSkA4cBzxnCjDDgIi3YzzvTKwr4HAoAraUmZFB9+ HHCNOEge/rN5/X7pf/ZmAQ4e8ksd3AYlytVVSJ/1KC7cq7WfOyFpZyVeYMT7mOhU7oNR wZ1A== X-Gm-Message-State: ALQs6tCTTzsG4ZLryx35cFtTtCRF6G1sercRhjNIgy3u5vzgXIGLZ3Ad qxEr8xNZe2de33WqtXvnW8PjHpXW1fhLd9xIQjV6ug== X-Received: by 10.107.180.68 with SMTP id d65mr1097104iof.244.1522887647476; Wed, 04 Apr 2018 17:20:47 -0700 (PDT) MIME-Version: 1.0 References: <24353.1522848817@warthog.procyon.org.uk> <20180404135251.GD16242@thunk.org> In-Reply-To: From: Matthew Garrett Date: Thu, 05 Apr 2018 00:20:36 +0000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Peter Dolding Cc: "Theodore Ts'o" , David Howells , Linus Torvalds , luto@kernel.org, Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 5:05 PM Peter Dolding wrote: > > If you don't have secure boot then an attacker with root can modify your > > bootloader or kernel, and on next boot lockdown can be silently disabled. > Stop being narrow minded you don't need secure boot to protect > bootloader or kernel the classic is only boot from read only media. And if you use another protected path you can set the appropriate bootparam flag or pass the appropriate kernel command line argument and gain the same functionality.