Received: by 10.192.165.156 with SMTP id m28csp1188876imm; Wed, 11 Apr 2018 14:11:40 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+UadLKyQk3HGtVrhQLfRqVYiL+Haydt7tf6+uucDqUZ/5I1DflhmQVqqTclfWmnM0m62C+ X-Received: by 2002:a17:902:5381:: with SMTP id c1-v6mr6667531pli.234.1523481100318; Wed, 11 Apr 2018 14:11:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523481100; cv=none; d=google.com; s=arc-20160816; b=qo122b4/uPVxwobuZUjDIDFYKwLFc/KEz6E2GF4J5ai9paizNpqhsS5PAr3N/pt0u/ SCiyNCFKg7j7vX+UiSzkXyPegHtDzWeOLMYXmRANYgQ0TeU/twFJ+LcGMZYb+xEK9UMw NITS994G3Qjr/8Lbp5CNz4bnJQq7yCHaMfcR3U9En/bkCkVVqRTjatnsl2fK50s/P2sI kggRivX2JelIjsmgtNLP99HPKYjrWKwvXvRW5zE+c0P5BYaQClcajNWjrDW7FJvQ1bam 5mPf1mc+DIbcl0Bb37kkl+SgZhZsgQMEA/iZ2/Vi83kHgvz7junSJSsIYIfZUqaFrML9 g2jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :feedback-id:references:in-reply-to:message-id:subject:reply-to:cc :from:to:dkim-signature:date:arc-authentication-results; bh=43AmNGw5etxIc5e/bmeAi7zyzT2rXip/5fxb1ZMWMOE=; b=fdSrs+9JauJmhQA8w+l0XmGV2kZgE7W6UJFX8DdeFLhijM35MZmLHLqsRP4MMf7Pea yLk1NIIjh5ydZI/mzoK2VxtvMAAEe1L1KlbCZyg8e+YdjpcYSfX55Jv3FepFuz13Io+m BlTyCUeM1BK9WvGmxloXZ4GP5WJXye5pukOFlA2tgAxrxVGa0+jiijCAO1dcjScxSpza tMQawP6wcfNSpq5AU2AubajeDx1FEDCvz3a8BWhkMdN/Yp/BqU/ndGTo1YSScS3Cd8a0 f2/u+6jxYcXqUttraEhK4oKRAcpByfzpQrCuCU5pPrgCeOEg309B96zaHcQteSGEIDSE iAtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=rrlGxmZy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f9-v6si1860777pln.45.2018.04.11.14.11.04; Wed, 11 Apr 2018 14:11:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@protonmail.ch header.s=default header.b=rrlGxmZy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.ch Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755377AbeDKVFL (ORCPT + 99 others); Wed, 11 Apr 2018 17:05:11 -0400 Received: from mail5.protonmail.ch ([185.70.40.28]:42853 "EHLO mail5.protonmail.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755101AbeDKVFI (ORCPT ); Wed, 11 Apr 2018 17:05:08 -0400 Date: Wed, 11 Apr 2018 17:05:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.ch; s=default; t=1523480705; bh=43AmNGw5etxIc5e/bmeAi7zyzT2rXip/5fxb1ZMWMOE=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=rrlGxmZyf+O2EOwE7F8KdrrcBH/HzvegwYWVMY9Bwhrcn54M8w8CDsZKbASpSiB4B IB9ntPwF1TYHOtAClCTydV1UR2uwsI1kH19XCj9kcJ13WLyTbs633rJ+EiJMIZfaxR 8U/9mHN4mh/jbRukIZz+GW2suMwnO+bU53r3B4l0= To: Linus Torvalds From: Jordan Glover Cc: David Howells , linux-man , Linux API , James Morris , Linux Kernel Mailing List , LSM List Reply-To: Jordan Glover Subject: Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image Message-ID: <8z0aRQyD-6Krqntk8UD9WQjK5JSqEai2Pt5oeFU2EplgxoWiHlX5nlJXwCDHQ1WcS1oIprXimgz7UvwHCWDB9Z3dYFrEmZmtkEJSqaYMel8=@protonmail.ch> In-Reply-To: References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> Feedback-ID: QEdvdaLhFJaqnofhWA-dldGwsuoeDdDw7vz0UPs8r8sanA3bIt8zJdf4aDqYKSy4gJuZ0WvFYJtvq21y6ge_uQ==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, FREEMAIL_REPLYTO_END_DIGIT autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.protonmail.ch Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On April 11, 2018 8:09 PM, Linus Torvalds w= rote: > On Wed, Apr 11, 2018 at 9:24 AM, David Howells dhowells@redhat.com wrote: >=20 > > Provide a single call to allow kernel code to determine whether the sys= tem > >=20 > > should be locked down, thereby disallowing various accesses that might > >=20 > > allow the running kernel image to be changed, including: > >=20 > > - /dev/mem and similar > > - Loading of unauthorised modules > > - Fiddling with MSR registers > > - Suspend to disk managed by the kernel > > - Use of device DMA >=20 > So what I stlll absolutely detest about this series is that I think >=20 > many of these things should simply be done as separate config options. >=20 > For example, if the distro is sure that it doesn't need /dev/mem, then >=20 > why the hell is this tied to "lockdown" that then may have to be >=20 > disabled because other changes may not be acceptable (eg people may >=20 > need that device DMA, or whatever). >=20 > If that /dev/mem access prevention was just instead done as an even >=20 > stricter mode of the existing CONFIG_STRICT_DEVMEM, it could just be >=20 > enabled unconditionally. CONFIG_DEVMEM=3Dn >=20 > So none of these patches raise my hackles per se. But what continues >=20 > to makes me very very uncomfortable is how this is all tied together. >=20 > Why is this one magical mode that then - because it has such a big >=20 > impact - has to be enabled/disabled as a single magical mode and with >=20 > very odd rules? >=20 > I think a lot of people would be happier if this wasn't so incestuous >=20 > and mixing together independent things under one name, and one flag. >=20 > I think a lot of the secure boot problems were exacerbated by that mixup. >=20 > So I would seriously ask that the distros that have been using these >=20 > patches look at which parts of lockdown they could make unconditional >=20 > (because it doesn't break machines), and which ones need that escape >=20 > clause. >=20 > Linus >=20 =E2=80=8BJordan