Received: by 10.213.65.68 with SMTP id h4csp1327064imn; Wed, 4 Apr 2018 17:23:36 -0700 (PDT) X-Google-Smtp-Source: AIpwx48bCa5VWGOgkEhKZxWXy+MiHtCwOlcHKo10/pmTUZs/7ku1tG13ioZhjd1rgqHiukuIREpn X-Received: by 2002:a17:902:ac96:: with SMTP id h22-v6mr20285650plr.93.1522887816314; Wed, 04 Apr 2018 17:23:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522887816; cv=none; d=google.com; s=arc-20160816; b=Iq86zkWQeudTLTqp4A3MIk2iPj3jAOZbgXzCJ1MYuZm8ZBxN1LzX57pD7TvQr5EIc6 ikmWUH3fHEe4rbKOOqAWFpH4PjoI6KHZomZcpvmv6DvbF82r7oEiC7WEOtSUL1R+KLN1 E/Q3QNRTqnKSlMQmod7SjWsHe29zlQsY5KZcqeVm0IVdp6xKoa1yNbi68DbOZ+DbUvQ5 +p4sdPxFN7QChLVv6U9P+5iqyDlm/SkClBT5W1evlbxJ6zEW5waDP8iF1k8sCpOgckX8 mdZRz8hTQBeaB2hIcxiNYM6FE5h7Gqqc7rdjD5fVZGdYdHp3RbIddXaUZs4muJc4JeXT K5tQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=5EOm4v1C4KUYawByhttTZKlL4wRj6XpyY08I/Zw7sFI=; b=zRWNajmvcNAwXfIwSlG0ycCnFgQXzXbWMeM7rViXSFhy9P+zsxbVwcEoL5CDa0PfE+ S+I/nDbdJzWrI3QVhQTDQ/+rWVEZXzRRr7oSNd3hhEbnecxGOCB0Hy7m2lHfkm1eV7t4 FQxkIJbvzb0BfJErX/HPGxY/4KbUOCaFH0wITdL4g7QT2xJWKu1LJ+AgLe+DO26gVzw/ 3TwoVYwYGdrm64Mdxoya73j1E2fXdD2EBGyob7WWEl6LekZKa9w5Koa2oXggOOQTupFC PHN8qqqLq4BKx6AR1stUBhdqNSRmQpCHB8QJi/f0t6gylzJFJEqOfXXuEulAFG3fDLGx 2Gew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mwuTlaog; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n11-v6si6787100plg.236.2018.04.04.17.23.22; Wed, 04 Apr 2018 17:23:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mwuTlaog; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752656AbeDEAWQ (ORCPT + 99 others); Wed, 4 Apr 2018 20:22:16 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:34288 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752550AbeDEAWO (ORCPT ); Wed, 4 Apr 2018 20:22:14 -0400 Received: by mail-it0-f68.google.com with SMTP id t192-v6so257083itc.1 for ; Wed, 04 Apr 2018 17:22:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5EOm4v1C4KUYawByhttTZKlL4wRj6XpyY08I/Zw7sFI=; b=mwuTlaogK24yRUlafhGdmK39TOeEHiiprFxwo+vtVf7UGXfYsJQ3LU4Y2mDA/Es4kg +XapvtLI1xbicvEuBXGs/WymFsSq6lDapATJz1QDUpkuz7Spuc55dXVrWWZxg/PwDfYP QF3fXhYU9SnnImdn0YZY/9+pdv9AmE7IvaUQKTmKLidA0ighawFcvDgrZr1NPZXWuzuZ hv86kztpWwYVowADrD0wUZaYOAlcot9RjMf0f5UFUFQ3GKOxskENLu+JMG2aztovnL9a lpqKrNNjLNzgP/N6178v8CLWD13HlSZCcWqWDkd8wIBmt1oo6AQ2wwyouJbRAqQnjNOS EnfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5EOm4v1C4KUYawByhttTZKlL4wRj6XpyY08I/Zw7sFI=; b=aqnodStRU+OkI7lnIQRDBrsfschiALCuftd4y4KjaDElanipTzUCUff+UupPEfqkhk fZ8xOXxtHeLepI35gQisqf9VC5L3V6U1m2wCrHp6l3p7C/UhmVH23xi4xwxtpvfmf7uA 8r1SykRrFd7aiP+z1OuBhRrI4u3RxcNyAYrRkN3PLV+QJRq1wAtVKjzJuxaKp5bz/7ll V14Cut+5Om4kYc1XQaABZYkWyXfu/yoIKe2LPXOxCxIqyvsSMJTPff3syc7D59cTQtQw 1KaBbVQVUpfjmnRzUD6ePEmIR6qP3/+hHqeFKcn1wLBBykDFWaqJFE/Up5FEK4wp6euo +ATg== X-Gm-Message-State: ALQs6tBesBujF8qIaqCBK9igPCTK1+/q3GfovLhVXEvkgKXBc+aMDZ7W BGq27pGLrlD1lsDDu409SIKr82M7xmiQIgtX0gyrAA== X-Received: by 2002:a24:46cd:: with SMTP id j196-v6mr11021791itb.8.1522887733245; Wed, 04 Apr 2018 17:22:13 -0700 (PDT) MIME-Version: 1.0 References: <1119.1522858644@warthog.procyon.org.uk> In-Reply-To: From: Matthew Garrett Date: Thu, 05 Apr 2018 00:22:02 +0000 Message-ID: Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) To: jmorris@namei.org Cc: David Howells , luto@kernel.org, Greg Kroah-Hartman , "Theodore Ts'o" , Linus Torvalds , Ard Biesheuvel , Alan Cox , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 4, 2018 at 4:25 PM James Morris wrote: > It's surely reasonable to allow an already secure-booted system to be > debugged without needing to be rebooted. alt-sysrq-x from a physical console will do that.