Received: by 10.192.165.156 with SMTP id m28csp1942508imm; Thu, 12 Apr 2018 06:14:11 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+kOxjINMxFz0xkg65ydVwm+zBDEXueedddvfqUjsDNChU8MQkiR0S5mt8IpDVXUZ0VVFHk X-Received: by 10.99.95.144 with SMTP id t138mr682225pgb.94.1523538851476; Thu, 12 Apr 2018 06:14:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523538851; cv=none; d=google.com; s=arc-20160816; b=V7QZtP9zIeL93Owz39B4NxD0L6Kwqwp+yz1xFpJy4XSLVmXLPC1m/QruVwWNg++Oxc QAX3NWA+Wsrf/yYBks+qncpYqg9um3GNyk5CS5Y1vewAL0zgTktdQI3yr9+Y6Cl2HUvs e0XctSh5WLx/bq4B1KTj/2ayjeKf/eoLprzRD0fdonhcy18kO4RV5z+Rw03b6mqoKkJf EbI0MF2NLAiS8nJx/Aw6LydQDWz/PONCmWP/RikIoK1BeJIapHV2bE6o1s19U4RaPd/B yfLDa0ZwKF6Z+UuKCpniEl57i31JpczkM5SH+g6NHTz9yzRlOR4kgCKMUnU2ViB9sLHw T3xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=Ywv2GxoGmKVPgc5wpIjhBLwiwRyrNzMV/eyhfJogh+c=; b=cj1SZO9fRgfhPzTcHbAf9YZz4b5D50woMNTm2ljEbYTuPLxv3WcVDUxubEH8T1KcHX FBpN+4J80zPljBLMEquQFvHNS1Ja1x1o5Wn828fNA8fupDrTiBYra8apLerEdh/0PIJQ CFdrqkAoOpBC+GTZc/E3PFsO7PpvMbBKlDsnz959ibsUVf0QYJu4k3lI+KsGashcv833 pMNioACMB6ZQmuH3VLHq2C9H1F5hUlQd/n7F+ZSFa/JWmDkmVXLpWhCd9UBWwBUBuPnw tfXfmxJHeR8j0xvvsuCKvYShjnpzSi/I+e6H0IsYqbfJtE7r+DJ3EbKO8BKhSmRR2ZiJ l4ZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxtx.org header.s=google header.b=Sinu/GI9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x33-v6si3419251plb.356.2018.04.12.06.13.34; Thu, 12 Apr 2018 06:14:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxtx.org header.s=google header.b=Sinu/GI9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752912AbeDLNJP (ORCPT + 99 others); Thu, 12 Apr 2018 09:09:15 -0400 Received: from mail-it0-f66.google.com ([209.85.214.66]:50988 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752854AbeDLNJL (ORCPT ); Thu, 12 Apr 2018 09:09:11 -0400 Received: by mail-it0-f66.google.com with SMTP id r19-v6so7209603itc.0 for ; Thu, 12 Apr 2018 06:09:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxtx.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ywv2GxoGmKVPgc5wpIjhBLwiwRyrNzMV/eyhfJogh+c=; b=Sinu/GI922i475o3vbQ8RyvHZaFBGkpPr0LSQsM6OqhreSaaQhJEQsjpkWRjzD5/o+ j0tkcYvRr8+625uKCujxkZafrOSi2qGoFXD0Qn1xQVF8H/TB+srDXYfOjcFYeCi6ptfq RYwbZ3bm2rkv/5CEgM30nFUUCP+JxqL79qtz8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ywv2GxoGmKVPgc5wpIjhBLwiwRyrNzMV/eyhfJogh+c=; b=m6VPAw+ezE6EKE+P+iUXhQE8/z3hViNTW2BrLYlZ1ToE2WgZoluojHrwGOH4wwk4NW 4JGK+pCp6NWh4biVmREtsneOUdpVT9lyZXIPxhKr1Me/2G+tsIKdg3NMwYBk0vft7Rgu s30PN28O+C4uoaNUDTXqRz36F7wZ0IZZTJHOeYa2fIc6o1WY7QBjRFJubvuBPUGNSY3v aPCjHNbIbzPnD0Z1Eq5yGdRulCzrQVlA2QvcAHy/boLDqisaLi3pb5oGJdsfb02QYCtt h5wFhbvLq+hApTzHghb4wY1Sea5j+2wi8zDRcuXm38W6BhDGX1E+xjnjWiEYLeIUDeBr isqA== X-Gm-Message-State: ALQs6tD91uzxxZKalazu1Vw+yTbgk+0TrRb1Fw25sC52TsYD2cpQ1VIx 6PiAaqKpCF/BLKpdoJsauHPEiQx4Afsm8b/Yr13lXw== X-Received: by 2002:a24:530f:: with SMTP id n15-v6mr831856itb.123.1523538550777; Thu, 12 Apr 2018 06:09:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.163.75 with HTTP; Thu, 12 Apr 2018 06:09:10 -0700 (PDT) In-Reply-To: References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346388583.4030.15146667041427303547.stgit@warthog.procyon.org.uk> <8z0aRQyD-6Krqntk8UD9WQjK5JSqEai2Pt5oeFU2EplgxoWiHlX5nlJXwCDHQ1WcS1oIprXimgz7UvwHCWDB9Z3dYFrEmZmtkEJSqaYMel8=@protonmail.ch> From: Justin Forbes Date: Thu, 12 Apr 2018 08:09:10 -0500 Message-ID: Subject: Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image To: Linus Torvalds Cc: Jordan Glover , David Howells , linux-man , Linux API , James Morris , Linux Kernel Mailing List , LSM List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018, 5:38 PM Linus Torvalds wrote: > > On Wed, Apr 11, 2018 at 2:05 PM, Jordan Glover > wrote: > >> > >> If that /dev/mem access prevention was just instead done as an even > >> stricter mode of the existing CONFIG_STRICT_DEVMEM, it could just be > >> enabled unconditionally. > > > > CONFIG_DEVMEM=n > > It's actually CONFIG_DEVMEM, CONFIG_DEVKMEM and CONFIG_DEVPORT, it's > just not obvious from the patch. > > But the important part is this part: > > >> So I would seriously ask that the distros that have been using these > >> patches look at which parts of lockdown they could make unconditional > >> (because it doesn't break machines), and which ones need that escape > >> clause. > > .. because I get the feeling that not a lot of people have actually > been testing this, because "turn off secure boot" is such a universal > thing when people boot Linux. > > So it's really the whole claim that distributions have been running > for this for the last five years that I wonder about, and how often > people end up being told: "just disable secure boot":. Very rarely in my experience. And the one time that we sent a kernel to updates-testing that was signed with the test key instead of the real key, we had a surprisingly high number of reports from users that it was broken before the update even got synched to mirrors. So we don't have actual numbers of users running active secure boot with Fedora, but we do know it is more than we expected. The majority of people who do run into issues are those running out of tree modules, who haven't imported any sort of key for local signing. This isn't like SELinux was at launch where it was so invasive that a large number of users instinctively turned it off with every installation, I would guess even people who turned it off in the past, don't even think about it when they get a new machine and leave it on. > But if people really don't need DEVMEM/DEVKMEM/DEVPORT, maybe we > should just disable them in the default configs, and consider them > legacy. > > I'm just surprised. I suspect a lot of people end up actually using > devmem as a fallback for dmidecode etc. Maybe those people don't boot > with EFI secure mode, but if so that just shows that this whole > "hardening" is just security theater. > > Linus