Received: by 10.192.165.156 with SMTP id m28csp1258838imm; Wed, 11 Apr 2018 15:42:40 -0700 (PDT) X-Google-Smtp-Source: AIpwx489PPMbzvBCfx6/vObUoQ5aZm6RHkAU4+o5zZkBrUWurY2SCDd5z7E7WPtYLRUnWlsB7Hw3 X-Received: by 10.99.116.81 with SMTP id e17mr4859710pgn.437.1523486560439; Wed, 11 Apr 2018 15:42:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523486560; cv=none; d=google.com; s=arc-20160816; b=JJqQ9LhRyMhBRy7mYMIqjnFg3JFtAMu6vT+tkd1JTMorbfLkXjXpPAp5VZHuLzRaLL scdofr0j47/PE+KO3d5U+bi8JG9z13D74ly/SX1riU78X+Cg6E3fIZWiCQTmen6zuWj3 a7tuCuMgGX4W8T2egNzd64WbX2/crvdoUVtR3aCryNKhkd/CBXGcqYNADYMSTBTx7BiE TdgO0O9+jVD4Frme3tlDdU1RgWg983RrRUgbCGAyCKwPqOFGHMWJPRIognDzv7oLiQhh gzQm5hqbGCuYRrGf192t8Ic4POFnH9HoRBUO6MNdqvaaoIs2wyLE02UBhumDGEf5MoLC 0DUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=cx6FLtBgWcoWwOpmsPDoMlIXIzaTd8HqmrD4njjWx9w=; b=ke6WwIilB/ZqYymRb8dFVVaSKPIYFfjxI9nuUVCXENxC9F+7AIUT75b4z7YEgoW8NE c3mO9AcfyD9f/kHHghJ+2WKV0cnUGtB7t4yWSeQ99OjKPnkXSKfH03ie8pyFUt2dD05a mw2qmfI2LjJXSAgGi6auIWvqH4sg0zFiVXKy0hZ8HK7say2ppfkviCq5qfnsVBPQ7WBQ JKldvtN0DL3+5zaHFWcJYyvUsKBbOExdAz7WcH9G9dJ7w6BUERTcDZqmBZYaKJjS5DwX PSiew6IcZRrV8ctpG4lWTxFmqgFlzu8+KjcvS8aR9iyw5hM1SvP0r91QmwPWjmBtsVvJ zmiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=DCmx99Ad; dkim=fail header.i=@linux-foundation.org header.s=google header.b=SwBbVOEb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1-v6si2044042plj.275.2018.04.11.15.41.53; Wed, 11 Apr 2018 15:42:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=DCmx99Ad; dkim=fail header.i=@linux-foundation.org header.s=google header.b=SwBbVOEb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752181AbeDKWib (ORCPT + 99 others); Wed, 11 Apr 2018 18:38:31 -0400 Received: from mail-io0-f170.google.com ([209.85.223.170]:46596 "EHLO mail-io0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751553AbeDKWi3 (ORCPT ); Wed, 11 Apr 2018 18:38:29 -0400 Received: by mail-io0-f170.google.com with SMTP id q80so4156816ioi.13; Wed, 11 Apr 2018 15:38:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cx6FLtBgWcoWwOpmsPDoMlIXIzaTd8HqmrD4njjWx9w=; b=DCmx99AdyLt74TILwCYWOslVutQzNGyHTaTX36RTxNTeIBhxOp7qZiN9cUGZtPfxVB KJzXe5m8Q6ATG5N3yF5bpmZ8OP6WKSs3UDXtoeTrNx2ElZPPYXXByQRSSinJV7MysTBQ f3jHT+4HI9tjehXpJPNKFXGeF4Bbu5pHh/ZzXgqn5wzDv7M7G7oJGbsHFeuqaBTjt5zw rYF6AcIlr8teUzm61P2uD6f3keBn0/LzicAqUxGfrG3juH05+GBMnagyOhcPqLMqnFhF 1F2oD56uk+7Npyukx/l9cFpftMs9Kl/KLSxygXfzR5WqSIollHFxRFimV0F8Q4ttDnzr fEKg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=cx6FLtBgWcoWwOpmsPDoMlIXIzaTd8HqmrD4njjWx9w=; b=SwBbVOEbURGQZZfUMKh9rUwkfVhBomGDzg/4fWw/qgHV4So/IE+RCVGSMAIbD63pzY rE82wkoCDAbW0O60nMZFgsYWDVH5gpU6d8Lejz1f2IkKHGQ69Hl5DLTrz8VMe6hQLgfS U8jyM82Z+WH+a7NVuBtjU1kGU7fLPwprdQRow= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=cx6FLtBgWcoWwOpmsPDoMlIXIzaTd8HqmrD4njjWx9w=; b=EhVA0flgtuFxPuDNFaXcIa8KN2KFU4SM0OeU149ku8YNsazd4QBHbXLV8a06YjlDjD OJFYmmCQhU8oIy1sA2reIezHZ148GIhI/E58X1RlEivC9YJgaIDoB49SvmXvU8gS6VMV DhY5jNY6x2dFAsA02KnCE0bQkzr4J8NVonFIBndvfLCOwBZXgWTqScMUh+U6wix7k2B9 /351F57HcTGtfz/HFR9GcTfs4TCzBQ4qDexEXS0w0Nb0UMsR/eyOUSD8uRqPBY7mZZ46 bG0Nkd7rOePaUUstGCo4AyA7fBATRwea7TTl7xBYY7Sb9zT65UHBhYum0XeN+iO1Qmf2 eyng== X-Gm-Message-State: ALQs6tBY2My1hyZd6rb+OnNNe4F8O5XlxbF9h6q7YDD/P9JsEvYZQ5+P 4vLjLmt6sdnuC+P9PL6P1duok2mmPv3bCS0+NVo= X-Received: by 10.107.138.74 with SMTP id m71mr518540iod.259.1523486308218; Wed, 11 Apr 2018 15:38:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.95.15 with HTTP; Wed, 11 Apr 2018 15:38:27 -0700 (PDT) In-Reply-To: <8z0aRQyD-6Krqntk8UD9WQjK5JSqEai2Pt5oeFU2EplgxoWiHlX5nlJXwCDHQ1WcS1oIprXimgz7UvwHCWDB9Z3dYFrEmZmtkEJSqaYMel8=@protonmail.ch> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> <8z0aRQyD-6Krqntk8UD9WQjK5JSqEai2Pt5oeFU2EplgxoWiHlX5nlJXwCDHQ1WcS1oIprXimgz7UvwHCWDB9Z3dYFrEmZmtkEJSqaYMel8=@protonmail.ch> From: Linus Torvalds Date: Wed, 11 Apr 2018 15:38:27 -0700 X-Google-Sender-Auth: JQXxiiP2qAutJeg4_ebmDw_hnq8 Message-ID: Subject: Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image To: Jordan Glover Cc: David Howells , linux-man , Linux API , James Morris , Linux Kernel Mailing List , LSM List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018 at 2:05 PM, Jordan Glover wrote: >> >> If that /dev/mem access prevention was just instead done as an even >> stricter mode of the existing CONFIG_STRICT_DEVMEM, it could just be >> enabled unconditionally. > > CONFIG_DEVMEM=n It's actually CONFIG_DEVMEM, CONFIG_DEVKMEM and CONFIG_DEVPORT, it's just not obvious from the patch. But the important part is this part: >> So I would seriously ask that the distros that have been using these >> patches look at which parts of lockdown they could make unconditional >> (because it doesn't break machines), and which ones need that escape >> clause. .. because I get the feeling that not a lot of people have actually been testing this, because "turn off secure boot" is such a universal thing when people boot Linux. So it's really the whole claim that distributions have been running for this for the last five years that I wonder about, and how often people end up being told: "just disable secure boot":. But if people really don't need DEVMEM/DEVKMEM/DEVPORT, maybe we should just disable them in the default configs, and consider them legacy. I'm just surprised. I suspect a lot of people end up actually using devmem as a fallback for dmidecode etc. Maybe those people don't boot with EFI secure mode, but if so that just shows that this whole "hardening" is just security theater. Linus