Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2568904imm; Thu, 16 Aug 2018 11:38:48 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxNfB28iyPb/SFO+a44R6m5y7SWNgZo/vqe7i5JYJnuHiMOEkN0pWwopeyS1niMHcjz8oJF X-Received: by 2002:a65:5545:: with SMTP id t5-v6mr30209431pgr.157.1534444728868; Thu, 16 Aug 2018 11:38:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534444728; cv=none; d=google.com; s=arc-20160816; b=BKxT2WDbICANEdCWj3+xE9QYGxSC8Rgrsh52V1Y+7TkO0a6Psd6NX2sLcaSiQmQAhn YRiwG73op89xHnafWWmmVpkdVNEnKsJObWs8sfqnI7w+9XXpZV+5JelgMux5zc5xZs8y apl4EQJBpryWOMSMLrOoxPfs5UXICRmZAVXq3ZZvcMHQghFZQQIkVNubSjBkO3yTT6Jw 03RbG4Jp8zBMREs37HpB2wdSGP+Yfa2NnGWpb90GEb2/rDSisoLTwfHQY40MqMThJz0Z Mavel2Gc++5T+fhpKlr7cg3IhqYEuz9pC+uSJ0OJgWhO0geUklZ4BF9/loB0zzTDCXvn HqYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:content-id:mime-version :subject:cc:to:references:in-reply-to:from:organization :arc-authentication-results; bh=5K27njrwZg81wOjpem5yfpsoeQQqZDWUBKYiInnDDWs=; b=bapmv6SDp7xseYceo9B4zLLnz1n0RNuNDBzjY9HptP5k8gaIqFmlcX/OWT8jDBrDkF 4aesrUeQ4tVH3dNECJcIxYgyVWLqGdRp6dFP0xHmxs60aeEBdTfjP1uj5lvyq2sNBMNs aliXsdg4acDrKLEzseI0nlmxZzMATt75TlXHRi1zi4zFKVFXEVdLLrYmBpBtHeyzBwqX X8WGpUHeXpIz7LArcvSjwRz2NA2qmyQZzx1D8dM8pnohlYdfpgMRSNcHgRFRXurJoj/Q DyNZhBwH8xShcazYQgA99xUzcMO4eui8jc0pqba0wFdHu308TVfkLHImKKV+fyP7jxWP 2MKw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d39-v6si34694pla.41.2018.08.16.11.38.33; Thu, 16 Aug 2018 11:38:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389609AbeHPRmz (ORCPT + 99 others); Thu, 16 Aug 2018 13:42:55 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:47256 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2387985AbeHPRmy (ORCPT ); Thu, 16 Aug 2018 13:42:54 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DDFC7818F04C; Thu, 16 Aug 2018 14:43:55 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-130.rdu2.redhat.com [10.10.120.130]) by smtp.corp.redhat.com (Postfix) with ESMTP id 606F72142F21; Thu, 16 Aug 2018 14:43:51 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: <1534429345.3166.1.camel@HansenPartnership.com> References: <1534429345.3166.1.camel@HansenPartnership.com> <20180815185812.GC29541@redhat.com> <20180815100053.13609-1-yannik@sembritzki.me> <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me> <20180815174247.GB29541@redhat.com> <4911.1534421610@warthog.procyon.org.uk> To: James Bottomley Cc: dhowells@redhat.com, Vivek Goyal , Yannik Sembritzki , Linus Torvalds , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , "Justin M. Forbes" , Peter Jones , Matthew Garrett Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <25235.1534430630.1@warthog.procyon.org.uk> Date: Thu, 16 Aug 2018 15:43:50 +0100 Message-ID: <25236.1534430630@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 16 Aug 2018 14:43:55 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Thu, 16 Aug 2018 14:43:55 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org James Bottomley wrote: > I've told you several times you can't use the secure boot keys for any form > of trust beyond boot, Yes - and you've been told several times that you're wrong. As far as I can tell, you seem to think that whilst keys from the UEFI storage could be used to verify a hacked module, they couldn't be used to verify a hacked boot-time component (shim, grub, kernel, etc.). However, if you can load a hacked module, you can very likely replace the shim, say, with a hacked one. In fact, replacing the shim may be easier because modules are tied to their parent kernel in other ways besides the signing key, whereas a shim must be standalone. I will grant, however, that it I can understand a desire to reduce the attack surface by not trusting the UEFI keys beyond booting - but then you shouldn't use them for kexec *either*. > Personally, I don't see any use for the UEFI keys in the kernel beyond > kexec Allowing you to load the NVidia module, say, into the kernel without the distribution having to build it in with the kernel. David