Received: by 10.213.65.68 with SMTP id h4csp1374623imn; Wed, 4 Apr 2018 18:30:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx49cM4xjuwRR2PgfVuhRL7FvSxvtLZ1acg0C7IPwDImJexUyKVLl4wjuxYwmwX5RPQNh4j/f X-Received: by 10.99.49.74 with SMTP id x71mr13311325pgx.160.1522891819331; Wed, 04 Apr 2018 18:30:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522891819; cv=none; d=google.com; s=arc-20160816; b=PnCpTHmPk+IuR8hwetmwQy/6RPjiXprNvC1KJoF0ljpwZgowqj38IjyusdVziFAAqQ zM6CdRjBLEkgzfsUhS3IZvUknHat4Z2mZR8OG/nKCTquGdA9v4pCRA+znklxiuhryF7i nPLVK4M0nDrqXBfmq+tbg7TTQtB3joBAHn4MmC6FmRp0JkacD2MA5zgUTOOk20+oO0b5 s0tLG4WpVKdqeOPSeuSFQXxnkU8C7Rgr/Lc1LvnG4eQMKCwNV2WwQDRoSWpPQIE+1KW4 r6/Od4vRFlqZzsTx/6X7s/Q6E8e2pV8GbBLgUbCQU1PkAPrZbJvOjuz+XCqiv4v+uz7w vM3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=TPC57LqsIHq3uWxhbOMAcaR5IMM2UWjqLitxMCcUE+I=; b=tZL6XNkiqNlhAdeAUgtTz/Q3i0FsuOrQcfLH4JWpcZGlgs4VhvuKtxlD94oYbzbwuD L9S3hMjPKhKnNRZNbDywa5DuSV/NkxnbU9V35Fk3ivqlr1QhV4LkiukyIVGR7aPp4Srz PR8aOW1640dZPuTAk/XriCJ9ILMt3G3Zq3PwZL+3Ndky8J1pJkgthM/XCCvbX8J7kAqj D6TlEjSPlOXLXeIqIq8Sk4awn2sfjqV83G1U5QF3WEIpWhYeWqdDUJx4ZrSBtcJqqMc8 LjJwavQZETMrC2e7CJZSVxEludfpUnwRLWZyAEkK3T/+HCv8Rda8CUhLvPjtfXHG9qHm VLrA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VcGLd7OV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c7-v6si4913265plr.398.2018.04.04.18.30.04; Wed, 04 Apr 2018 18:30:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=VcGLd7OV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752676AbeDEB3A (ORCPT + 99 others); Wed, 4 Apr 2018 21:29:00 -0400 Received: from mail-wr0-f196.google.com ([209.85.128.196]:46838 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752615AbeDEB24 (ORCPT ); Wed, 4 Apr 2018 21:28:56 -0400 Received: by mail-wr0-f196.google.com with SMTP id d1so25648711wrj.13; Wed, 04 Apr 2018 18:28:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TPC57LqsIHq3uWxhbOMAcaR5IMM2UWjqLitxMCcUE+I=; b=VcGLd7OVUPvDeMNpUQKQBeiHgIbjW2hQ19smvi+u4xM9lbqQjL60dAqiwO8j8fC6O8 QezyPWebclvbcHxn1wZLqGm9hfzZS9u9CEXicmQ15krj1oBpfIpav764EePRl/4GyWGL 24TKFDdq4p9ng1zAAAiAr2m822+V07vdKJATAhFo6YR6kir8JzsqqfzBPhMKMV2awdZP k2/fnao0lRqihMEyR1opQzr3xxNGUvJlCXPxb5w0AWqe+CgSoVV37WMpM+DDHBSG+43u P0V23vsV0elqUCc24ytMFDisAed1UhjZ+3k0mrhmtJWGyR6w4ynl9xV7f5myS+tjUkdq PjGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TPC57LqsIHq3uWxhbOMAcaR5IMM2UWjqLitxMCcUE+I=; b=CTUFCsNq5s4AhVcNwGwr3vkEkSFdytFmUtL6KFi6Ukpy6JhyTWCSJY9t4yZLHhvNy8 1HRqghRVm8UGCngSZ4rsonW/IIqkPzwUEtPxgkb2/MwBeGI+SGMOZ1qwF7kAHsfKE/VV 8BvspvegaFbCXxCI0XIwng3wcJCoQW0JCRQSA8ivRQQ/yeYqvwoLAV+AmvOuAbyNL+av NoWSpGjYgDuBfuKO6KFJ3R7zvD66rTmPYROPJLJDBLoW45PVXC/zNNQcxIiMytdcEnms FxmqcHTotyg7mhbAWcwrLFo8nFV2CIKX4WykDDljzm7WZLAMSjP/ciIOxxWufuXmd9x0 M1fw== X-Gm-Message-State: AElRT7FmxO5NkAK10UVUo6Tdh4TwcsZ51bD65C2g5bUMVma7JRKJnAdm fSwuploWyEf/da7Sm/ZE+Do8MRpB0thDciUwODA= X-Received: by 10.223.226.66 with SMTP id n2mr15784752wri.228.1522891734071; Wed, 04 Apr 2018 18:28:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.151.36 with HTTP; Wed, 4 Apr 2018 18:28:53 -0700 (PDT) In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> From: Peter Dolding Date: Thu, 5 Apr 2018 11:28:53 +1000 Message-ID: Subject: Re: [GIT PULL] Kernel lockdown for secure boot To: Matthew Garrett Cc: Linus Torvalds , luto@kernel.org, David Howells , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Apr 5, 2018 at 2:26 AM, Matthew Garrett wrote: > On Tue, Apr 3, 2018 at 11:56 PM Peter Dolding wrote: >> On Wed, Apr 4, 2018 at 11:13 AM, Matthew Garrett wrote: > >> > There are four cases: >> > >> > Verified Boot off, lockdown off: Status quo in distro and mainline > kernels >> > Verified Boot off, lockdown on: Perception of security improvement > that's >> > trivially circumvented (and so bad) >> > Verified Boot on, lockdown off: Perception of security improvement > that's >> > trivially circumvented (and so bad), status quo in mainline kernels >> > Verified Boot on, lockdown on: Security improvement, status quo in > distro >> > kernels >> > >> > Of these four options, only two make sense. The most common > implementation >> > of Verified Boot on x86 platforms is UEFI Secure Boot, > >> Stop right there. Verified boot does not have to be UEFI secureboot. >> You could be using a uboot verified boot or >> https://www.coreboot.org/git-docs/Intel/vboot.html google vboot. >> Neither of these provide flags to kernel to say they have been >> performed. > > They can be modified to set the appropriate bit in the bootparams - the > reason we can't do that in the UEFI case is that Linux can be built as a > UEFI binary that the firmware execute directly, and so the firmware has no > way to set that flag. > With some of your embedded hardware boot loaders you have exactly the same problem. Where you cannot set bootparams instead have to hard set everything in the kernel image. This is why there is a option to embedded initramfs image inside kernel image because some of them will only load 1 file. So not using UEFI you run into the exact same problem. So lockdown on or off need to be a kernel build option setting default. This could be 3 options Always on, Always off and "Automatic based on boot verification system status". https://linux.die.net/man/8/efibootmgr Also I have a problem here in non broken UEFI implementations -@ | --append-binary-args that is very simple set the command line passed into UEFI binary loaded by the firmware with the Linux kernel this comes bootparams. Yes using --append-binary-args can be a pain it is used to tell the Linux kernel where to find the / drive. So turning lockdown off by bootparams is down right possible with working UEFI. There is a lot of EFI out there that does not work properly. >> Now Verified Boot on, lockdown off. Insanely this can be required in >> diagnostic on some embedded platform because EFI secureboot does not >> have a off switch. These are platforms where they don't boot if >> they don't have a PK and KEK set installed. Yes some of these is jtag >> the PK and KEK set in. > >> The fact that this Verified Boot on, lockdown off causes trouble >> points to a clear problem. User owns the hardware they should have >> the right to defeat secureboot if they wish to. > > Which is why Shim allows you to disable validation if you prove physical > user presence. Good idea until you have a motherboard where the PS2 ports have failed and does not support usb keyboard so you have no keyboard until after the kernel has booted so no way to prove physical presence. Or are working on something embedded that has no physical user presence interface in the boot stages these embedded devices can also be UEFI with secureboot. Not everything running UEFI has keyboard, screen....anything that you can prove physical user presence with sometimes you have to pure depend on the signing key. If I am a person who has made my own PK and has my own KEK in UEFI system I should have the right to sign kernel with lockdown off by default. I may need this for diagnostics on hardware without user interface and I may need this because the hardware is broken and I have set PK and KEK set by direct firmware flash access possibly by jtag or possibly before critical port on motherboard died. Of course I am not saying that Microsoft and others cannot have rules that say if using their KEK that you cannot do this. But if the machine is my hardware and I have set my own PK and KEK set I do know what I am doing and I should be allowed to compromise security if I wish its my hardware. I should not have to custom hack to do it. Of course I am not saying that the setting in Linux kernel configuration system cannot have a big warning that you should not do this unless you have no other valid option and I am not saying that the kernel should not log/report if it see what appears to be a questionable configuration like dmesg "SECURITY ISSUE: UEFI secureboot detected enabled kernel built with lockdown disabled system at risk of comprise". Something audit tools could check logs for. . So a kernel booting secureboot with lockdown disabled in kernel configuration is perfectly fine to log a message that this is the case. Always forcing lockdown on because you see UEFI secureboot will cause issues. Broken hardware to get around a failed motherboard with UEFI secureboot locked on you may wish to chain load though a kernel that you have the means to sign to boot a different OS that is going to be complex for you to sign due to on going updates. In my eyes lockdown have a kernel configuration option with 5 options setting the mode. 1) Automatic: On if a verified boot system is known to the kernel this may be UEFI secure boot this could be other systems the Linux kernel can detect in future and off if verified boot is not detected/disabled or if user approves turning it off by user presence test., 2) Always on: That no matter what the Linux kernel turns lockdown on. No user action or shim action is going to turn it off. 3) On but user/boot bootparams controllable. So user can give command line to EFI or other boot-loader to turn it off so no user presence test and this is need in some cases.. 4) Always off: that is always off no matter what and put error in dmesg if the Automatic on condition is found. 5) Completely build linux kernel without lockdown code bar with a single dmesg reporting this. 3-5 all provide security risks all have valid usage reasons. 3 you may want command line controllable you are developing on a system with user presence cannot be confirmed and you need to be able to switch between lockdown on and off and you only want to send 1 kernel cross to device in development stages. 4 is simple you have a case where you need lockdown always off line chain loading on a system where things have gone wrong. 5 can quite simply be diagnostics we have a issue we want to absolutely confirm that the lockdown code is not the cause. I can understand if 3-5 are forbin when using Microsoft KEK or other parties KEKs but those building their own kernels using their own keys should not have those restrictions it their hardware it thier configuration if they decide to make it insecure it their choice.. Peter Dolding