Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp995719imm; Fri, 17 Aug 2018 10:02:09 -0700 (PDT) X-Google-Smtp-Source: AA+uWPz2+PZI0sdnsanujeRBpi5A/ZUZLT2pq/3BVLYDEPh/zFYhLPVDRokaClg787oyZ43+RElT X-Received: by 2002:a17:902:7584:: with SMTP id j4-v6mr34605920pll.184.1534525329487; Fri, 17 Aug 2018 10:02:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534525329; cv=none; d=google.com; s=arc-20160816; b=u02o8EXb+B1Nl5amFG/925DyymZ4OMRdZpKI6hsUrnnKml/CuiU9juYt+nZn01daU0 J1k/F1kn0Ox9STp22PUg6BnJ8w/SDLpTsN+OjDC0pdmy6DGWctho9w3zUGX548EP/Okw Cu9zy1gbmoX6H6a8qAq5BCwcSm7hyh/2ZO7yiRidJCo1qSl050d6PmGHtq0wWSAzjgLj CV1UVfxxENB8gbSS+gzYsEIUnvrMxoIlrXJuZtZwM6fJ9TfkRcB9BylmVvU8eYCbfFRx QlSqGGSwAe+FnJsne+wU5fXiZOmUMSpe8H3dUaPAtNUW93NOyayaX3aSZHi+7mhmuqTx cSPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :organization:references:in-reply-to:message-id:subject:cc:to:from :date:arc-authentication-results; bh=stiFIoiV5n9/reQtHJkx2PQGJ4bShsC6dtHFxcj6JJo=; b=WBlP8C+pPJF72d5lO9f2KWSiBrYoBVVIRRtOitwAmxpWjPk7Nb7mf3gopdtApycL/p kExLeNHXsSNbS+mWhawkuLZxNmtBWE7rXmeJiSd9KCT9ycLgIIL7ldENZ1n9hEb91lRD 3LSmvH8nqTKcx9iZALNDfHG0/LFTmruKW9TrC3SySoka/3CMHLaQwjKte99SXTc9+bSo T92aRyZZm3giHqlM2Lh/Fy2Xc0I/0Ayce/T3RCZKAAeOw7fILYcGp6cqrLf1YNftmEIL WczBtGAlMz2dE+mNf/BY3vgHgWoMNmm3G5gxrfI1KdFOxsx6ObEBB29+EptWk8WWUWKV Twqg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 42-v6si2739618ple.316.2018.08.17.10.01.53; Fri, 17 Aug 2018 10:02:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727981AbeHQUEr (ORCPT + 99 others); Fri, 17 Aug 2018 16:04:47 -0400 Received: from www.llwyncelyn.cymru ([82.70.14.225]:48812 "EHLO fuzix.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727948AbeHQUEq (ORCPT ); Fri, 17 Aug 2018 16:04:46 -0400 Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk [82.70.14.226]) by fuzix.org (8.15.2/8.15.2) with ESMTP id w7HH0KMj018702; Fri, 17 Aug 2018 18:00:20 +0100 Date: Fri, 17 Aug 2018 18:00:19 +0100 From: Alan Cox To: James Bottomley Cc: David Howells , Vivek Goyal , Yannik Sembritzki , Linus Torvalds , Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , Dave Young , Baoquan He , "Justin M. Forbes" , Peter Jones , Matthew Garrett Subject: Re: [PATCH] Fix kexec forbidding kernels signed with custom platform keys to boot Message-ID: <20180817180019.3f4366be@alans-desktop> In-Reply-To: <1534431585.3166.4.camel@HansenPartnership.com> References: <1534429345.3166.1.camel@HansenPartnership.com> <20180815185812.GC29541@redhat.com> <20180815100053.13609-1-yannik@sembritzki.me> <654fbafb-69da-cd9a-b176-7b03401e71c5@sembritzki.me> <20180815174247.GB29541@redhat.com> <4911.1534421610@warthog.procyon.org.uk> <25236.1534430630@warthog.procyon.org.uk> <1534431585.3166.4.camel@HansenPartnership.com> Organization: Intel Corporation X-Mailer: Claws Mail 3.16.0 (GTK+ 2.24.32; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > I'm actually not talking about UEFI storage, just the UEFI secure boot > database. I think we might come up with a viable model for adding keys > from a UEFI variable that isn't part of the secure boot database. You also need to be able to remove or not trust the existing ones including the Microsoft keys. Not trust probably makes the most sense. If you trust those you are dead already, because there are existing signed kernel images and Windows boot images that have known remote ring 0 exploits so I can just boot one of those and own you. Since you are never going to make a Fedora update blacklist the previous kernel image it's also not going to get fixed because it's a usability problem. > The reason for keeping this boundary is to do with the politics of > breaches. If we get a breach to the secure boot boundary, Microsoft > and all the ODMs will help us hunt it down and plug it (They have no > option because Windows is threatened by any breach to that boundary). > If we use the keys beyond the secure boot boundary and get a breach > that only affects our use case no-one will help us because no-one will > care. Also the politics of control. A world where Red Hat, Microsoft and some other parties together effectively control who gets to load modules into a free OS for most users is not a good one - whatever the module licence. Plus I'd have thought if your lawyers are scared of signing keys they'll be even more terrified of the competition law impacts of gatekeeping 8) Alan