Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2569958imm; Thu, 16 Aug 2018 11:40:03 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxoGr+OIqEDv8Dlnu6QlmaTpdKvX7wYoZrFbwzOAxscSf5P0ltZcrUV19bdOe5YRv1TpD1F X-Received: by 2002:a17:902:6b05:: with SMTP id o5-v6mr29872610plk.338.1534444803340; Thu, 16 Aug 2018 11:40:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534444803; cv=none; d=google.com; s=arc-20160816; b=DrHNZMSw1NqBa7Ix6esSSEkAoZ7oR4CEZwHiZ8V4UvPFtg31qBKqZINXZOg6Wwahsp o7NR/G4m6yUfufhN1aY+DidZN1dsitYAU1zVPR2IvtU1AgFtqfhtRMLkPe+ctjgsg4so YET7onuinZjCGqXZE7BCXmY5jBvIThUlpIAP/rim1JJb4yGKuPoUKO3vT5X10JCb9pL7 Q/1nKzzumhtLabE7PRDA7UOcgf+Zd7N8S2Mh09yRMh48y/9TWYtO55ZJtoQaWyKcbjgE A24oltV0z/zRyAmg3DUAnFD8L5aE8eTTBusmV2gOmccMA+ZuEr80zP525flAOwgfgZSf zy2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:arc-authentication-results; bh=cu21ZP06nyA7aZUEW9BRuLWQ+hqcrFGX7dvJ41qIke0=; b=kDQegL+8pl1DRrY8hua2G05NaT/6PBgreq6HlH04tK2kx3GXnnEO7ByGndTmISxQNW XepT0DkogcDknXpndK4AvZJjGsUIymNkBig8TgWdDGZtonWMNUlKJwH5DN/o71Yj09zm coQmf6uxsPmWku2mQ+1VeDYo5n0LruWfy1JCsZbw/1PVrR3K3Fic6YNPHz0sS0xXZBKJ VQhlfhIqceObCLEYdLXtRL8K4ifOQAzjr80SzLHCpYG1dKk4VO6X6OdhWeBJnXE2KKMT UHpaZahuWuPTDKsx5Nz1RSK88w6ND+6y8hR6DYiPIrHHc4OwqA0kima5dIrjbV3Sa2p+ p1wg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=M1W58xaU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m64-v6si27107pfc.17.2018.08.16.11.39.48; Thu, 16 Aug 2018 11:40:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=M1W58xaU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403969AbeHPR6s (ORCPT + 99 others); Thu, 16 Aug 2018 13:58:48 -0400 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:43368 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726022AbeHPR6s (ORCPT ); Thu, 16 Aug 2018 13:58:48 -0400 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 06D5E8EE171; Thu, 16 Aug 2018 07:59:47 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gHKZfNQlFF6u; Thu, 16 Aug 2018 07:59:46 -0700 (PDT) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 41BC38EE092; Thu, 16 Aug 2018 07:59:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1534431586; bh=p5vmq23YstOfS1KfebH9fwWCi0fanc2JFLrWwpNsEF0=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=M1W58xaUhJ2u0XRoFTJKOzU48wKV4xwuNA8b9UnDp81nvBN0WhOvNdNNsyvmutBmd C1QsRqe7CmvBvYsni0QSZf31axqRBCORUEcJrD5JESagCnIZSQUdD1TVP3XJ6GiEJH U7RnzBkYBiAyWbO7PTcMZdk8HiLKv1wTCWw2glDM= Message-ID: <1534431585.3166.4.camel@HansenPartnership.com> Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot From: James Bottomley To: David Howells Cc: Vivek Goyal , Yannik Sembritzki , Linus Torvalds , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , "Justin M. Forbes" , Peter Jones , Matthew Garrett Date: Thu, 16 Aug 2018 07:59:45 -0700 In-Reply-To: <25236.1534430630@warthog.procyon.org.uk> References: <1534429345.3166.1.camel@HansenPartnership.com> <20180815185812.GC29541@redhat.com> <20180815100053.13609-1-yannik@sembritzki.me> <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me> <20180815174247.GB29541@redhat.com> <4911.1534421610@warthog.procyon.org.uk> <25236.1534430630@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2018-08-16 at 15:43 +0100, David Howells wrote: > James Bottomley wrote: > > > I've told you several times you can't use the secure boot keys for > > any form > > of trust beyond boot, > > Yes - and you've been told several times that you're wrong. > > As far as I can tell, you seem to think that whilst keys from the > UEFI storage could be used to verify a hacked module, they couldn't > be used to verify a hacked boot-time component (shim, grub, kernel, > etc.). I'm actually not talking about UEFI storage, just the UEFI secure boot database. I think we might come up with a viable model for adding keys from a UEFI variable that isn't part of the secure boot database. > However, if you can load a hacked module, you can very likely replace > the shim, say, with a hacked one.  In fact, replacing the shim may be > easier because modules are tied to their parent kernel in other ways > besides the signing key, whereas a shim must be standalone. I think our misunderstanding is around the granularity of security. You seem to be arguing that it's monolithic; that's true for compromise (usually one compromise to anything breaks everything) but it's not true for trust. Trust goes in defined boundaries. For the secure boot keys that boundary ends after boot which is why trusting them into the kernel runtime is wrong. The reason for keeping this boundary is to do with the politics of breaches. If we get a breach to the secure boot boundary, Microsoft and all the ODMs will help us hunt it down and plug it (They have no option because Windows is threatened by any breach to that boundary). If we use the keys beyond the secure boot boundary and get a breach that only affects our use case no-one will help us because no-one will care. > I will grant, however, that it I can understand a desire to reduce > the attack surface by not trusting the UEFI keys beyond booting - but > then you shouldn't use them for kexec *either*. Depends whether you see kexec as a boot process or not, I think. > > Personally, I don't see any use for the UEFI keys in the kernel > > beyond kexec > > Allowing you to load the NVidia module, say, into the kernel without > the distribution having to build it in with the kernel. How about I address that one in your invitation to a flamewar? James