Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1233468imm; Wed, 15 Aug 2018 13:54:20 -0700 (PDT) X-Google-Smtp-Source: AA+uWPwyGrbCQqD1+J8UQBm7qI8Xn8qnsWwsm51fyM6mDxS4x/fwC9iSRAoQU0ggQu8xf0eOYbzp X-Received: by 2002:a63:ab0c:: with SMTP id p12-v6mr26133954pgf.190.1534366460399; Wed, 15 Aug 2018 13:54:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534366460; cv=none; d=google.com; s=arc-20160816; b=oHag29Q58TVGAd+fbpsUkwtgv2Kl7gHFXYYv7wwyI9rGqZTy1wI0h9y5I8kmXcQJkE DhW73DLfgaaihF5W4jUAE6napnHjYEDHkXa1lRgbsHXRXf7s1VYtWK0bZtMG4XyHl3hB aMCDqECX5YsES+XY83ig/uLgfF7KFVyLhZsIkn8enrzSH+zFp3OEMwXVSSFesBKgznEy XPoLqj7IwofHd9z/vuZPQ1gIa+ZT9X4ijOOje5qURc4D/2L7syEk8GlGY1Rk4BlU8qbT LXfgfZZeJckaYW+8gaa8oFCucn+697SGYr9crFtqLXUvF7xqrYgvsC+HMcUyV0qv68hn EmXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=IUvRFM0PLTtTBWXc5hSRCWV7v3yZRZ8T32WOCW4bA2s=; b=gpFm4zvrX36unTW+pDJVJk/961F8deDJuvNuNyyuEGFlQjymM9nBc7tF8p55qoUssl s5Js9vel6SDxE6RfZKoue66DMATPLKZf3iGXaNaMyrzNRmdN5skb7XcMUvEKtpcHJ9J4 72uD2QYPex4VXeZiP2PUisZHiGS78qnL/qDAEKwqcOHRabhlQELDEcjrZrSK3cDer9uH C3/EhCzIhakxz31URdJ+dJ10RWJfzdKIaQKaeNapnLo5HHJmqqQZ6YXTsdWT+n8+kJal GkelklG25rHQj7S+C2eMuYH+QYXStfGZnfy11lEUw6+BI+SEjMd3c+/SsFc8N7XwvW1R ZEUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=seSTvXe0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b1-v6si19010742pld.396.2018.08.15.13.54.05; Wed, 15 Aug 2018 13:54:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=seSTvXe0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727501AbeHOXrF (ORCPT + 99 others); Wed, 15 Aug 2018 19:47:05 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:35548 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726183AbeHOXrF (ORCPT ); Wed, 15 Aug 2018 19:47:05 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 188118EE171; Wed, 15 Aug 2018 13:53:17 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ql1yjkpTFri6; Wed, 15 Aug 2018 13:53:16 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 4ACD28EE0C9; Wed, 15 Aug 2018 13:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1534366396; bh=wXNx8GgRIfTPfp2DDyff1hQOYdpU/He0x5Lfq9Avd4g=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=seSTvXe0WPCfWfxqN5ofg7fb6JgrcrtsMOq96GuZg/gPtLw/rkGeQAuDyRrpE4NeP UAYE8uTbGRW7VjowcvDUzleOS9aXrTs0DUAX8npyrT+RXehPpIGM7lE8uPedaYyN1y ifgu0OAV9YKIi0HM1+5mqQjZiS8VvA2enAicQY/I= Message-ID: <1534366395.4049.19.camel@HansenPartnership.com> Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot From: James Bottomley To: Linus Torvalds , Vivek Goyal Cc: yannik@sembritzki.me, David Howells , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , Justin Forbes , Peter Jones , Matthew Garrett Date: Wed, 15 Aug 2018 13:53:15 -0700 In-Reply-To: References: <20180815100053.13609-1-yannik@sembritzki.me> <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me> <20180815174247.GB29541@redhat.com> <20180815185812.GC29541@redhat.com> <20180815194932.GD29541@redhat.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2018-08-15 at 13:47 -0700, Linus Torvalds wrote: > On Wed, Aug 15, 2018 at 12:49 PM Vivek Goyal > wrote: > > > > I see that module signing code trusts only builtin keys and > > not the keys in secondary_trusted_keys keyring. > > This, I think, makes sense. > > It basically says: we don't allow modules that weren't built with the > kernel. Adding a new key later and signing a module with it violates > that premise. Yes, the point is about layers of trust. The UEFI secure boot keys for a standard (i.e. system where the user hasn't taken ownership) contain Microsoft and some ODM vendor keys. You're forced to trust these keys in the boot (or reboot) environment because that's consistent with the way windows operates (any breach and microsoft will get annoyed and help us sort it out). You can't trust them for other kernel key operations because that's outside the boot environment trust boundary and if something goes wrong (say someone at an ODM signs a malicious linux kernel module because the ODM keys are trusted to sign modules) Microsoft won't care and we'll be on our own with no real ability to sort it out. James