Received: by 10.213.65.68 with SMTP id h4csp1369294imn; Sun, 8 Apr 2018 01:47:58 -0700 (PDT) X-Google-Smtp-Source: AIpwx49yGCBErHTMqqeMzJAOMfyA2yOSBUjfFnIBnot50SN1DccNOSy/gFz7NdBR4bPo/UGdqq0C X-Received: by 10.99.109.72 with SMTP id i69mr22552078pgc.417.1523177278182; Sun, 08 Apr 2018 01:47:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523177278; cv=none; d=google.com; s=arc-20160816; b=NnYQjX6GyzeHBXwPar9HAdKqjOqaLnmjpUxguNQuhHFFg5bQWAgzP2n6bisIvHmbyj kEO9nuBx1tmFaBk1M3xXzINMgjQb+k/bE07IG3aEqyeoznQCSV7+3Q8gYLHIEKkTjR6h 592rylKaZxd2y+ivn8IWE7FZfeXkJJMTu9RyNcMKsDIr5PofmYzrXcPYESyuL/ZErbNt bpxk93yR/1ng5GP+QYTE6PadbHj/LtckDDqfK6xb9iYbAZfM6Hp3EL5DLN67ijOlSRhR tVyaVxF6XL5dG5NuSnesdT0DcG+3Eb5rfiTZN4VveVxlsW2jb1e6uJp4/ZlB0jX9dTPj fBQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=Q5BUWF7MliN8gwZGXyKf+sJ1eo4qercMikbKVsEajb8=; b=dOCyoDP2q2fXd9J4t0z0H+P5zN09Ikeh25XrlLwNRjd7r1BTPqmovQjzcaZU/7X1CI 9lIBif8c4GEsNWLGmOYjNIsXefPccMbVXL3b5IYXwAUAFdGJKatKLp91fBMnG7ZnlMvk vXk2d9VQANy5y+dvbtYVB3Xed9WaayQ6ut7s3y12k5EhD64z15zPr+EtJzJzI37/5SS/ VxiTBJB4LS6QLfe59wEKI9G4ZXCGEpEGaaKGMJ17TVjFApeRNAo4TS1s7xLMRJZSR0Hb QD8hA9tIcJyR6SbhAVSXsouJ6gLXwmpjGeH96M/PGBLumqwVV+0wLqI5rVSaL3HLkMKP CzWA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s85si10858028pfi.32.2018.04.08.01.46.52; Sun, 08 Apr 2018 01:47:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752136AbeDHIKz (ORCPT + 99 others); Sun, 8 Apr 2018 04:10:55 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:59562 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751826AbeDHIKw (ORCPT ); Sun, 8 Apr 2018 04:10:52 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id D0DD58039F; Sun, 8 Apr 2018 10:10:50 +0200 (CEST) Date: Sun, 8 Apr 2018 10:10:50 +0200 From: Pavel Machek To: Matthew Garrett Cc: Linus Torvalds , luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot Message-ID: <20180408081050.GA4965@amd> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="17pEHd4RhPHOinZp" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --17pEHd4RhPHOinZp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue 2018-04-03 21:08:54, Matthew Garrett wrote: > On Tue, Apr 3, 2018 at 2:01 PM Linus Torvalds > > wrote: >=20 > > On Tue, Apr 3, 2018 at 1:54 PM, Matthew Garrett wrot= e: > > > > > >> .. maybe you don't *want* secure boot, but it's been pushed in your > > >> face by people with an agenda? > > > > > > Then turn it off, or build a self-signed kernel that doesn't do this? >=20 > > Umm. So you asked a question, and then when you got an answer you said > > "don't do that then". >=20 > > The fact is, some hardware pushes secure boot pretty hard. That has > > *nothing* to do with some "lockdown" mode. >=20 > Secure Boot ensures that the firmware will only load signed bootloaders. = If > a signed bootloader loads a kernel that's effectively an unsigned > bootloader, there's no point in using Secure Boot - you should just turn = it > off instead, because it's not giving you any meaningful > security. Andy's Not true. I have kernel with printk() enabled. Yes, once userland is started, you can boot another kernel, maybe. Maybe my kernel is locked down with exception of kexec, and it does printk(KERN_CRIT "kexecing") followed by mdelay(5000). That's pretty good security. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --17pEHd4RhPHOinZp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlrJzooACgkQMOfwapXb+vJyawCgucLLA8QbmX8zLUT7nIWXw5P+ p/sAoI5s8z1MIYAXdUMjuXLq63vVHR7v =llcn -----END PGP SIGNATURE----- --17pEHd4RhPHOinZp--