Received: by 10.213.65.68 with SMTP id h4csp1998496imn; Sun, 8 Apr 2018 16:59:08 -0700 (PDT) X-Google-Smtp-Source: AIpwx49Yf1nnOohGLsR+Kc2U4svSIuM1ohmLHA8hXHGmY2IkAuSApAyEFTstPT6tqG+/aQdcLuy0 X-Received: by 10.99.43.80 with SMTP id r77mr23377735pgr.193.1523231948061; Sun, 08 Apr 2018 16:59:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523231948; cv=none; d=google.com; s=arc-20160816; b=TQNWmHhjXRbyDYsClaciBA1UHdmXT4RIa/EFJ/+b3fz4V7ujgtNMISpe3h9e46ogJb MFVazYtLWwfZHbEH86Nt/7SddoZ3SkMTLwQLdmq+nExrHvR2LZM/6xm/cebprIEkEtKr AO2YYrF9THBvQ+72N+k1CrbS3anVzlQc2miemNg16dBaY2Er8tpVxECKIKLJ7LoMm7aB pEfqAzxaX+EDb4b+QKRXG5hkukSxEaN8Y+NhygNKtsca3sAZ3eRgvD8arFNTQfvmJA5h FeQ7bodBTM0MlqmnkBQdOPEvCzM2ZlMqA5sVdRhzh0zH4H32gRFKRaWaOQyaRK3URS7Y AlYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:to :from:date:arc-authentication-results; bh=VpZaRLaR5rDDnaEimEEm2w61Adm0VHKskD7/azj3Lh0=; b=aqSK7IPxjCkQVR8zIGoo55lV1BdaasP23/EbcCiC5ImK5r9PQ1Dzu6wwe7jf632Vb8 QG4ziXcAa/1yehugqxR6iFa/R0uvVYd5gaWMy4URQ6Qc+sj2/tXkIxbhLei9hp6ZQK3s toiupto45fO0pR7M/TNHaa0YRZnAbT+bAuuuqeIfJ9zPMMOw04h7TyaHEF3vznr9x3ev cVHRJ6P6PzuP9axWsaUdsfS/d9RtyBjIpacmcqKQxJ8byW4DZ/pgfW9x6trXVSqFlLfJ vweDwhhQ5AacpOOW5af0I4MUj43M5eJdWEVw31Z3McVOmI6GFdWryFX5DCC1EWIXYRBw 1roA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p3si8610823pgc.463.2018.04.08.16.58.31; Sun, 08 Apr 2018 16:59:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752785AbeDHWAh (ORCPT + 99 others); Sun, 8 Apr 2018 18:00:37 -0400 Received: from atrey.karlin.mff.cuni.cz ([195.113.26.193]:51154 "EHLO atrey.karlin.mff.cuni.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751919AbeDHWAd (ORCPT ); Sun, 8 Apr 2018 18:00:33 -0400 Received: by atrey.karlin.mff.cuni.cz (Postfix, from userid 512) id 9DDCE80397; Mon, 9 Apr 2018 00:00:31 +0200 (CEST) Date: Mon, 9 Apr 2018 00:00:30 +0200 From: Pavel Machek To: "Theodore Y. Ts'o" , Matthew Garrett , Linus Torvalds , luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi Subject: Re: [GIT PULL] Kernel lockdown for secure boot Message-ID: <20180408220030.GC4965@amd> References: <20180404125743.GB16242@thunk.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CblX+4bnyfN0pR09" Content-Disposition: inline In-Reply-To: <20180404125743.GB16242@thunk.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --CblX+4bnyfN0pR09 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > What I'm afraid of is this turning into a "security" feature that ends = up > > being circumvented in most scenarios where it's currently deployed - eg, > > module signatures are mostly worthless in the non-lockdown case because= you > > can just grab the sig_enforce symbol address and then kexec a preamble = that > > flips it back to N regardless of the kernel config. >=20 > Whoa. Why doesn't lockdown prevent kexec? Put another away, why > isn't this a problem for people who are fearful that Linux could be > used as part of a Windows boot virus in a Secure UEFI context? >=20 > If lockdown simply included a requirement for a signed kernel for > kexec --- and if kernel signing aren't available, to simply not alow > kexec, wouldn't that take care of this case? >=20 > This wouldn't even be all that much of a burden for non-distro users > with lockdown enabled, since in my experience outside of enterprise > and data center use cases, kexec isn't used --- and in fact, very > often kexec doesn't even work outside of a very carefully selected and > bug-fixed set of device drivers. (It often doesn't work in non-distro > kernels because very few upstream developers really care about kexec.) I do have Motorola Droid 4 here (cellphone). It uses safestrap.. and than it turn kexec's a lot (so that you can select Android vs. Jolla vs. ... during boot). So yes, kexec shows even in unexpected places. And BTW.. the cellphone thingie is a situation where manufacturer works against it users. Motorola does _not_ want me to run my own kernels here. Pavel --=20 (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blo= g.html --CblX+4bnyfN0pR09 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlrKkP4ACgkQMOfwapXb+vLuTQCeMDzahlxtiWb+VZ8CP3Jf2Hqu XcQAn2whnLxOBGlx1Qn+icDsL2hhrHIX =WLuA -----END PGP SIGNATURE----- --CblX+4bnyfN0pR09--