Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2732179imm; Sun, 5 Aug 2018 10:49:22 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe6zWEepOKndntL3/Bxh4qPzOhgH82rztPUEne6TcNknr6zGMhUEKnzvpWYnA/EFv2hXCKn X-Received: by 2002:a63:9f0a:: with SMTP id g10-v6mr11675548pge.324.1533491362413; Sun, 05 Aug 2018 10:49:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533491362; cv=none; d=google.com; s=arc-20160816; b=Kl+AOApq+OWqD2+o0Xkj1zxL/wSWMDxrFRK/xrCxLXZ2S3BeydVB9FfcI8A9/pUsB3 MYC5E2oYpk1WWEI2qp6+ByL1f42yWvwKrOYHqVNptnCipGljnEMCxKwTLdVau+wgwRCc GlxYk7AQJGEl4s5V7Tlx/X/8MbkOTWHQdUl3HlzRH8l5izniGBMMke5kwfGeMwPZ+fEy hR0gB1APAQwwPcK8BVCNGkvmnaxWKqDjvR1qHbqjOxWVcYrzluYWJNhZXOtZ+XjFXHVA LzVQqwstwwux606EehFFHDGHtJSi3oGayt0ZiqWLQHeNa8cXCwAJx2y2/LeXQjgoI3lp BJyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=e2nqUgkxlxAsh/80oOI78bKHdhbert/MEI89mb0nTJg=; b=Z1khZoexsBjDTRTy8lzYuQE/w7LpE6FXUdv9rfmC4gL09QyeCdy3+Kec+KC/tF2qrG 7FvJVNUydoGke5pVCw1yE6t13H0MhMrBuXoZ6TBXJME7t6rZAdLtHqXpZJL1aQ43ENWm 280ERWNeCL8RJTE1lV6S2zPPbqutweUPTIQfPBb0FWyw/QNDcw7SyITLN60fJAlfsDlK nqrpwRp9SfoMenuHVjTyEa/HpQ4985+DtWq3Q4N1VqQ1Rr5nNO27HnmwBV/MWo9QSWFO FAOXaWz09fWFsm1KH+j4YoIpGA1Y20ZxbH21+UqCHH/uCrs0dglzuTpPVdj8SAbJ0ZCx Murw== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FuO2kYq3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 36-v6si2747837pgr.176.2018.08.05.10.48.55; Sun, 05 Aug 2018 10:49:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=FuO2kYq3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726592AbeHETwu (ORCPT + 99 others); Sun, 5 Aug 2018 15:52:50 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:55608 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726362AbeHETwu (ORCPT ); Sun, 5 Aug 2018 15:52:50 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 3DC7A8EE251; Sun, 5 Aug 2018 10:47:29 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FvHIjfEqOLU; Sun, 5 Aug 2018 10:47:29 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1769F8EE0C7; Sun, 5 Aug 2018 10:47:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1533491248; bh=w7pgO9ema1R8uKWcJYWQI8uKqMSkMzMRe7+2SDs01dY=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=FuO2kYq3TG/cDHKxKvpUr5YUqRWJ4SoFJ/i7i17trSfh8jk4BnhKnrEUFiGGxl+Sc R4LMi5ttb9KQkRXbk02dAbdAN8Ye5UJewogDtO7QEBAyC6Vp1EmCLM649AXq/lIuTj nVr3XVWQXGRraigtKMA3bryYVSqSCy+uwmuJAjYQ= Message-ID: <1533491246.4087.1.camel@HansenPartnership.com> Subject: Re: [PATCH 0/6][RFC] Add EFI secure key to key retention service From: James Bottomley To: Ard Biesheuvel , "Lee, Chun-Yi" Cc: Linux Kernel Mailing List , linux-efi , the arch/x86 maintainers , keyrings@vger.kernel.org, linux-integrity , "Lee, Chun-Yi" , Kees Cook , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "Rafael J. Wysocki" , Pavel Machek , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Mimi Zohar Date: Sun, 05 Aug 2018 10:47:26 -0700 In-Reply-To: References: <20180805032119.20485-1-jlee@suse.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2018-08-05 at 09:25 +0200, Ard Biesheuvel wrote: > Hello Chun,yi, > > On 5 August 2018 at 05:21, Lee, Chun-Yi > wrote: > > When secure boot is enabled, only signed EFI binary can access > > EFI boot service variable before ExitBootService. Which means that > > the EFI boot service variable is secure. > > > > No it, isn't, and this is a very dangerous assumption to make. > > 'Secure' means different things to different people. 'Secure boot' is > a misnomer, since it is too vague: it should be called 'authenticated > boot', and the catch is that authentication using public-key crypto > does not involve secrets at all. Hang on, let's not throw the baby out with the bathwater here. The design of "secure boot" is to create a boot time environment where only trusted code may execute. We rely on this trust guarantee when we pivot from the EFI to the MoK root of trust in shim. The reason we in Linux trust this guarantee is that it pertains to the boot environment only, so any violation would allow Windows boot to be compromised as well and we trust Microsoft's Business interests in securing windows far enough to think this would be dealt with very severely and it's an outcome the ODMs (who also add secure boot keys) are worried enough about to be very careful. The rub (and this is where I'm agreeing with Ard) is that any use case we come up with where a violation wouldn't cause a problem in windows is a use case where we cannot rely on the guarantee because Microsoft no longer has a strong business interest in policing it. This, for instance, is why we don't populate the Linux trusted keyrings with the secure boot keys (we may trust them in the boot environment where compromise would be shared with windows but we can't trust them in the Linux OS environment where it wouldn't). So this means we have to be very careful coming up with uses for secure boot that aren't strictly rooted in the guarantee as enforced by the business interests of Microsoft and the ODMs. > The UEFI variable store was not designed with confidentiality in > mind, and assuming [given the reputation of EFI on the implementation > side] that you can use it to keep secrets is rather unwise imho. Agree completely here: Microsoft doesn't use UEFI variables for confidentiality, so we shouldn't either. If you want confidentiality, use a TPM (like Microsoft does for the bitlocker key). James