Received: by 10.192.165.156 with SMTP id m28csp1036662imm; Wed, 11 Apr 2018 11:13:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/FeCbEplTnQlQ0IcskWxUxHVO/ALC/UG1V8HuDOTuGOe5pm+6f1Td0+mny/mi+9l0aD90U X-Received: by 2002:a17:902:b707:: with SMTP id d7-v6mr6301696pls.188.1523470414026; Wed, 11 Apr 2018 11:13:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523470413; cv=none; d=google.com; s=arc-20160816; b=USGUGsitq/4va6XLMikTVcpel7c9ogy/kGivOe7lflofdRmplQsHzJQmzQmse5eKtW sH9q+RtxCDdL+TF5/BpHoqLZUJzFt5K2X7Raj6NNvTGPaah2wB6bsOHz7KNn9P9tASX6 fDU0tTnhOAVNmljAC+44x0M4F58pOMDLxVWHW+WwDJy1iyNu/o45c+Uj3RH698PEpq1y hNenz8yh8oaYC+iw8A/kHWM1FJB98PnIqSr5tiZg2zt3nEjEkg9Zh/z3aCKiMW0CFYPM PfXYCfgQA9nw6FRKhXPdIr13PKbBWVhzVdf8a0Nqxzz3HjYX3KL/xI9pLfOhCPQqdbjJ mNUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=VnFN3KBxYdLFiiRCV+D6NPf495RGcszjvAuKhRcBMfw=; b=JSoV9iT8N0yMBDKfPYbqokq3ftoT/bcUZu3s5EJLtJtNci5r/rGi1DyrDuG5QcyFNX sNG3r+VCVyCqbdV+B0nTXcZidMOz+lCuW+62cm+E2BBwPB94lF7g1HUSQnQ8rFugcXdu amRCNXFGHxNf4R/hAIWmC/6ObysSussvyKGw3u6/xV9hReSbeLYmdAgCuFdeS24/kRv+ GUYwCYDjWW6QQQBRMUC4Qkzs+G/hlloVlqDFbFb4+L7D2JL5oL5Y6004bMLXRXopmAJ5 U/YK961HgLPpGK9Lr7OFc2x1ItOF3qXFa67MgzU54IQ4vq2qd/dSnqVKcSOHvwETqF5a LDsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=EgrIvhsF; dkim=fail header.i=@linux-foundation.org header.s=google header.b=F89y00NX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x14si1098638pgc.165.2018.04.11.11.12.57; Wed, 11 Apr 2018 11:13:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=EgrIvhsF; dkim=fail header.i=@linux-foundation.org header.s=google header.b=F89y00NX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752700AbeDKSJo (ORCPT + 99 others); Wed, 11 Apr 2018 14:09:44 -0400 Received: from mail-io0-f193.google.com ([209.85.223.193]:42080 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750734AbeDKSJm (ORCPT ); Wed, 11 Apr 2018 14:09:42 -0400 Received: by mail-io0-f193.google.com with SMTP id d5so3374125iob.9; Wed, 11 Apr 2018 11:09:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VnFN3KBxYdLFiiRCV+D6NPf495RGcszjvAuKhRcBMfw=; b=EgrIvhsFIZ2kbASZDatORYcs61a7yrXo2i8nBuPjhDaSH1bUb5gbFhFneK6+9gWszJ EQIjQjEDPVf+9BEVECYA5XLp89Rcy+fxKFVKbkxj6zyvAMFTDxYxtvDe9YxGaRqcOk8N zZ/LFRC/UcKvlGm72O/B2LOwG41Pn0J8ajgMgavM9wqoVsfKlzEIhKXh1z+smqxywkOM u43rCC2839Mm+JEfwg4d0pLESruV3PjYSQfrS91IZQtR/Lkmg7hmRaxvR0I/fyTb0N8l 9ePiNtZrfIH0BLUUXJeGqvrZmBUAyjHsmzYvDr9HJZ858YjuH8HWzVY0e/3yGVZC/V5l QckA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=VnFN3KBxYdLFiiRCV+D6NPf495RGcszjvAuKhRcBMfw=; b=F89y00NXvJGgcIfU9iofQsJCaEZvTLq2NOvE0leWwBoUFWxzc7v/AfknSYQ1L8HrmQ 3CBFAGaxJRNR3TdzOLgBcgj6uvkI0XkLFc4qFGq6lCTb0dxuwHQ6ReXup8L2ndSqL4y6 a3xRW+JL4DKSs7vTxupZupkuEiuNw8g7IpkMo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=VnFN3KBxYdLFiiRCV+D6NPf495RGcszjvAuKhRcBMfw=; b=oXualAhdug6f8Tbl79Rqg6mc4nazGCFIpFjb9jzH3IjOC5a859Uk/GkLkn18YVP4wr 2SE/I+qb7BkQwWOQ4cFI0RepStgU0KCZNILM73BJIGSP3uAWdaOW4Xw4OspCCmSfljfa 24BJ09WnW7YPbw+81SBoEPMOw7X8KvqMOv9A0mqP7tIvb27qvTRs6QYM8N5K2TmlI3DV wJfy8aslL6vkc9aU79fOXfxJx9hAkOJSU+spFUUCd7V4BJhAUIzLtL1AcCl6dN/lSIKQ 6S7eSm8/vWr6KWBD6cG8XbQGYOHDpNac9FYHuN6haETEwzu1OcQAgw9Bz1Gk2ktKPr8h Mlgw== X-Gm-Message-State: ALQs6tB8bBSYRpUSgeeEy1av9z6sijOMNj5HBqLS5M7Y+Wm5iMidwnYX ut8PFjSOCAi7GBpjjfLh04/2+HAD5bljcy2tfRpT+Q== X-Received: by 10.107.12.201 with SMTP id 70mr5826682iom.48.1523470181499; Wed, 11 Apr 2018 11:09:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Wed, 11 Apr 2018 11:09:41 -0700 (PDT) In-Reply-To: <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> From: Linus Torvalds Date: Wed, 11 Apr 2018 11:09:41 -0700 X-Google-Sender-Auth: K98CM_x3d8LblyV5LQ_tq7HfCSo Message-ID: Subject: Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image To: David Howells Cc: linux-man , Linux API , James Morris , Linux Kernel Mailing List , LSM List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018 at 9:24 AM, David Howells wrote: > Provide a single call to allow kernel code to determine whether the system > should be locked down, thereby disallowing various accesses that might > allow the running kernel image to be changed, including: > > - /dev/mem and similar > - Loading of unauthorised modules > - Fiddling with MSR registers > - Suspend to disk managed by the kernel > - Use of device DMA So what I stlll absolutely detest about this series is that I think many of these things should simply be done as separate config options. For example, if the distro is sure that it doesn't need /dev/mem, then why the hell is this tied to "lockdown" that then may have to be disabled because *other* changes may not be acceptable (eg people may need that device DMA, or whatever). If that /dev/mem access prevention was just instead done as an even stricter mode of the existing CONFIG_STRICT_DEVMEM, it could just be enabled unconditionally. So none of these patches raise my hackles per se. But what continues to makes me very very uncomfortable is how this is all tied together. Why is this one magical mode that then - because it has such a big impact - has to be enabled/disabled as a single magical mode and with very odd rules? I think a lot of people would be happier if this wasn't so incestuous and mixing together independent things under one name, and one flag. I think a lot of the secure boot problems were exacerbated by that mixup. So I would seriously ask that the distros that have been using these patches look at which parts of lockdown they could make unconditional (because it doesn't break machines), and which ones need that escape clause. Linus