Received: by 10.213.65.68 with SMTP id h4csp1370344imn; Sun, 8 Apr 2018 01:49:56 -0700 (PDT) X-Google-Smtp-Source: AIpwx49HtPoA5be9cbrLw9y1I2zp+dKRzlJABwC8jHLAMuxxdfJP5UYhfXN5S8Sp8+iwIrh8mHfU X-Received: by 10.99.185.28 with SMTP id z28mr22443008pge.59.1523177396334; Sun, 08 Apr 2018 01:49:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523177396; cv=none; d=google.com; s=arc-20160816; b=ovcgsqWU9A3y82QRITWwfaODnHT8Pb+kGkoGR0KSfLyj6ty5Eg2imeYfA+gIaTvaAw cjlMnda+nvUbO/FcHwFS/bUTuHOXemxmaDecR7BnJ0v8GwjA88x01vQWy3x2NaNLtM9K q0FfpxJzQ4U1/67UUcv2mgM1IZpyurg8d9OmuQPsjJRb+6t7/MuH/3nAtSZiyt5kQmXk nHTl8unODRP4Rl93epxwmA0KixNAc9KgwAaN07bLf916XlTbDk7d+YWFsyQXLdWbDPFV 5VJ3KbKleoBJsJNS3LrmeJl/92PuNRX4U2QeFmD69pXT+yQUTMZS0zVY99+CShTctyK7 CZmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=GO5G91Kq1GWL7Ngl4io4vDXunq8M3rpqcgYTkIIoumk=; b=rIOndSjGj3WVLzAqIZu/vMbjUoCkz24NHkf8BL1TncqtsKa3TyCLe3EMFozQ2z70yz P2GZFYrHae+tPE9BOmcXfL/c8m+0c5rcNUP3YAJcJzDcO808HaysE97TNLUzkfxxhEQ5 QOr2EPp0V44fRCh49/dbApwwHJYuLkaXqBlSFysnaS1JqfTqhUNKAkx/yzIAfpkfhmgP 69E+Qr9cNemlFu5L9C1VP7wica0Xh8Grbq6IypTOwKaeohpNQXBnjHA61NteLWiJ/5Qk LkMVfPKLCM0SfN5PLiknuhjxLMNsm8SVWqn5U5lhWCCpzHxi3zkwlzQ6c7ghkQx0u2kL uz/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g61-v6si12097908plb.686.2018.04.08.01.49.19; Sun, 08 Apr 2018 01:49:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752424AbeDHIXL (ORCPT + 99 others); Sun, 8 Apr 2018 04:23:11 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:59872 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751524AbeDHIXJ (ORCPT ); Sun, 8 Apr 2018 04:23:09 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 1B2318039F; Sun, 8 Apr 2018 10:23:07 +0200 (CEST) Date: Sun, 8 Apr 2018 10:23:06 +0200 From: Pavel Machek To: David Howells Cc: Linus Torvalds , Andy Lutomirski , Matthew Garrett , Ard Biesheuvel , James Morris , Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , Justin Forbes , linux-man , joeyli , LSM List , Linux API , Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot Message-ID: <20180408082306.GB4965@amd> References: <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> <10718.1522798745@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="K8nIJk4ghYZn606h" Content-Disposition: inline In-Reply-To: <10718.1522798745@warthog.procyon.org.uk> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --K8nIJk4ghYZn606h Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed 2018-04-04 00:39:05, David Howells wrote: > Linus Torvalds wrote: >=20 > > The same thing is true of some lockdown patch. Maybe it's a good thing > > in general. But whether it's a good thing is _entirely_ independent of > > any secure boot issue. I can see using secure boot without it, but I > > can very much also see using lockdown without secure boot. > >=20 > > The two things are simply entirely orthogonal. They have _zero_ > > overlap. I'm not seeing why they'd be linked at all in any way. >=20 > I'm not sure I agree. Here's my reasoning: >=20 > (1) Lockdown mode really needs to activated during kernel boot, before > userspace has a chance to run, otherwise there's a window of opportu= nity > in which the kernel *isn't* locked down. >=20 > (2) If the kernel isn't booted in secure boot mode, then there's the > opportunity to tamper before the kernel even starts booting. >=20 > (3) There doesn't seem any point in booting in secure boot mode if you d= on't > protect the running kernel image against tampering. What does it me= an to > be in "secure boot mode" in that case? If the kernel can be tampered > with, it would seem to be, by definition, insecure. This one is not true, either. If kernel does "printk(KERN_CRIT "loading unsigned module"); mdelay(10000);", it is useful for secure boot and provides way to owner to play. Nokia N9 / N950 uses this kind of "security" for example. It is rather annoying but better than not being able to run custom kernels at all. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --K8nIJk4ghYZn606h Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlrJ0WoACgkQMOfwapXb+vIUpgCfQTVxgQuJIcDh2bJZRy8WyNou NOMAmwboHWl217wYf3zGmTVqyXi9sm4P =judE -----END PGP SIGNATURE----- --K8nIJk4ghYZn606h--