Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1252633imm;
        Wed, 15 Aug 2018 14:14:29 -0700 (PDT)
X-Google-Smtp-Source: AA+uWPy2SrHI8kyxbnseL9pyiqk/wgsiWnqFefv2OSmbLHOv7rZkQW36BKOIg4thD//auPxw45E4
X-Received: by 2002:aa7:84c2:: with SMTP id x2-v6mr21815444pfn.220.1534367669892;
        Wed, 15 Aug 2018 14:14:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1534367669; cv=none;
        d=google.com; s=arc-20160816;
        b=BGUogkAAsLNG7+PrGnYlTZsp0YAOAVteuoiLOf3yn7qalYFpXp1EP3cPhZjpuS0V+r
         EVfZlXbYc0dsB/nVFUmpkk8YvE/08NMb4xiK5yCPJSaY41C2VzKNgYUWWrf14r//8D8g
         O5snbqEGHdbVUZKJByKQrdTnyU6XYJMt3zGpOMr+XdGDPN1lGj/YM/cUckVJd2P86MHJ
         szUPB3RzPFiofpfYo7qJUrY5tZHN5URqYe5wWT0YSdOVeOPIedmWOqhIwN5H3KdVr/VH
         wBSHsglacVg5/dx3byZS/GIgD9Z57QIJlRMvAIr91XIJ/9Zasbl3M4y0Mee1Tgiiw5TO
         meAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:date:cc:to:from:subject:message-id
         :dkim-signature:arc-authentication-results;
        bh=Prs/r8+LDCRWT+mmQnvTXSI++kaR3bVOOOf27CwYhiI=;
        b=Nc/8570FlEYKl3/3NoM4C4asHTpJk9IMWXEBWZWB4GrjpVl47pi5jkU2waZ/TUN6A9
         44x0fbrfbcYoEDgTexIqPFlvZhfj1VcC5vlZvHQf7HPIvdP8z0Xlh7Q7jBPkEDcNKO2n
         bDoFXQ9ZolQOZ6Ic+VucIFZgSAIAD4WQJwEWJuXMo/ENkQrTfPlzE0H8cIqkBG+YP4OQ
         C38f251IoKBghqk2+5y7EmeY1gP6G4KDhNQPGlZsDSZ3EtjGcdcFxllGsowg6XqI3Hoy
         tsmtONCU9GSksirpDZs3/n+nMFAZfnZM2OSx2WDES8uEK0cbUumu32R4D94oRaUrlk6m
         8G1w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b="LRrw2/os";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q8-v6si22217667pfh.353.2018.08.15.14.14.14;
        Wed, 15 Aug 2018 14:14:29 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b="LRrw2/os";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727527AbeHPAHM (ORCPT <rfc822;ruroungkernel@gmail.com>
        + 99 others); Wed, 15 Aug 2018 20:07:12 -0400
Received: from bedivere.hansenpartnership.com ([66.63.167.143]:35716 "EHLO
        bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726763AbeHPAHL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 15 Aug 2018 20:07:11 -0400
Received: from localhost (localhost [127.0.0.1])
        by bedivere.hansenpartnership.com (Postfix) with ESMTP id 6643A8EE171;
        Wed, 15 Aug 2018 14:13:19 -0700 (PDT)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
        by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 2K7SWqtZgajT; Wed, 15 Aug 2018 14:13:19 -0700 (PDT)
Received: from [153.66.254.194] (unknown [50.35.68.20])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 917078EE0C9;
        Wed, 15 Aug 2018 14:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
        s=20151216; t=1534367599;
        bh=P5T4ltgHXpEQK/SUueIgySaH1ymNIio3ipZIOX2fZu4=;
        h=Subject:From:To:Cc:Date:In-Reply-To:References:From;
        b=LRrw2/ospAcNEDfe1xuwQNmRWBFHA5ocLio2iKHW6qquq+91+/YhCHgsINjgl3Bc+
         +GvYi18w1pKTQiEMJhg40KtPAklI4QeL62UMb6oSSexSMZOBkmOXbvsQ56rf7R7QXj
         +ZstNw4GBRfdQWgRsHA73Wt7KnG+yHv9EuH+4jPM=
Message-ID: <1534367597.4049.21.camel@HansenPartnership.com>
Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom
 platform keys to boot
From:   James Bottomley <James.Bottomley@HansenPartnership.com>
To:     Yannik Sembritzki <yannik@sembritzki.me>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Vivek Goyal <vgoyal@redhat.com>
Cc:     David Howells <dhowells@redhat.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Peter Anvin <hpa@zytor.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Dave Young <dyoung@redhat.com>, Baoquan He <bhe@redhat.com>,
        Justin Forbes <jforbes@redhat.com>,
        Peter Jones <pjones@redhat.com>,
        Matthew Garrett <mjg59@google.com>
Date:   Wed, 15 Aug 2018 14:13:17 -0700
In-Reply-To: <1ca6772b-46e0-9d93-0e15-7cf73a0b7b3f@sembritzki.me>
References: <20180815100053.13609-1-yannik@sembritzki.me>
         <CA+55aFx2goMXj7rQg-qx-puiiWYJmkDMU1xniWEu6ikDBNgfdQ@mail.gmail.com>
         <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me>
         <20180815174247.GB29541@redhat.com> <20180815185812.GC29541@redhat.com>
         <b2649b70-37b6-3929-a9d0-3d82033b2686@sembritzki.me>
         <20180815194932.GD29541@redhat.com>
         <CA+55aFzRHVXP4Ag4aygao1dTGaaMJZSOisHT2ks3_WP97kLLhQ@mail.gmail.com>
         <1ca6772b-46e0-9d93-0e15-7cf73a0b7b3f@sembritzki.me>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.22.6 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, 2018-08-15 at 23:08 +0200, Yannik Sembritzki wrote:
> On 15.08.2018 22:47, Linus Torvalds wrote:
> > It basically says: we don't allow modules that weren't built with
> > the kernel. Adding a new key later and signing a module with it
> > violates that premise.
> 
> Considering the following scenario:
> A user is running a distro kernel, which is built by the distro, and
> has the distro signing key builtin (i.e. fedora). Now, the user has
> taken ownership of their system and provisioned their own platform
> key. Accordingly, the user signs the distro kernel with their own
> key.
> 
> If I understand you correctly, modules signed by the users own key,
> but not signed with the distro key, will stop working in this case?

They never actually would have worked, but yes.

> IMO, this is not okay. The layer of trust should extend from the
> bottom (user-provisioned platform key) up. Only trusting the kernel
> builtin key later on (wrt. kernel modules) contradicts this
> principal.

The kernel can't tell whether the UEFI user has taken ownership or not
so it has no basis on which to make a decision to trust the UEFI keys
or not, so we should *always* not trust them.

Consider a UEFI system for which a user has taken ownership, but which
has some signed ROMs which are UEFI secure boot verified.  Simply to
get their system to boot the user will be forced to add the ODM key to
the UEFI db ... and I'm sure in that situation the user wouldn't want
to trust the ODM key further than booting.

James