Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp41930imb;
        Thu, 28 Feb 2019 15:22:35 -0800 (PST)
X-Google-Smtp-Source: APXvYqwGieOMOqe/Xwk1XcHgkVnlfQk4BSQFL8X6JQwFYBCxZNSFoIZBV4rqjfAeYV2VvxlNf1FG
X-Received: by 2002:a63:f544:: with SMTP id e4mr1709693pgk.145.1551396155070;
        Thu, 28 Feb 2019 15:22:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551396155; cv=none;
        d=google.com; s=arc-20160816;
        b=bSL7XleLkHhsa5EKt1m2S3jzUJccJDNig2UiGcsq84QPCjK8a6SpolMMC8enLiV/vy
         O7fp7Y7u6X1/vpTE1pcx0svvthA6Y2SPjowOe6NtJY32WkQWpgDFo1hYu5OAKPcyNj1X
         xoHXFLUe9ToQemv7BS4RHyQj+5a1JisyrmEV3XUv2Gzj2pwFADjM616CB6I2KwkXh8h+
         bb7f08DH75vgWdPxscu1OnY48J3QUXBCZrXzVg4Hb/UgBed45TVViaGKbQOkVniYB/38
         mYMx3pkRD3hQNsQ2tz8QtKyHyess9xU1j8pshhi9yEroJKRi2ls99bOnLmRAS71kMy3f
         2W1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=U4EKtO8Lt7LtImVbYr492MAgae5N97F7gOgi1ky7qcA=;
        b=YFuZ8prsuS2/9u4blww06ENA4SRSP89xVxTm1e6B74YQK3tx1iTMOseIXIYXz6dElz
         Knoy1+gzUuMAQOxACtGDU5M8Rq+qMXHIUTPku/RqHpGPhY3tSqOzDdBjRmTtl5x8CDNC
         9ziP/YE2SoPJXydczt+T8bljn8Bu79GejSMZOlrPH2snDIdoWYBM83L0lYy5vZAYgjLo
         nq4hgVTjGzudaWcy/37TZcM81wH8Shwf04OIVP8OsTigm+pEwZTU4zeAFf4W6mJt3tMc
         NVwybWQ4O9NzpzlK4hXzsPfh2xQT8ikLdBQbc9ZHyPw0w8YVjok9FVWeOY/A/+iHJISX
         TGKg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jr40GoDs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 14si7506833pfk.171.2019.02.28.15.22.18;
        Thu, 28 Feb 2019 15:22:35 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=jr40GoDs;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2388296AbfB1XN1 (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Thu, 28 Feb 2019 18:13:27 -0500
Received: from mail-it1-f176.google.com ([209.85.166.176]:51107 "EHLO
        mail-it1-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2388221AbfB1XNR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 28 Feb 2019 18:13:17 -0500
Received: by mail-it1-f176.google.com with SMTP id m137so17422231ita.0
        for <linux-kernel@vger.kernel.org>; Thu, 28 Feb 2019 15:13:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=U4EKtO8Lt7LtImVbYr492MAgae5N97F7gOgi1ky7qcA=;
        b=jr40GoDsA4xDK8qdPIT9cYlD4zAlUwWZfhzOTKJso8uZo4FClC7lw+WzSx866wul2F
         JlLJtbRRvwiyTzqAe6Oj6iNBu3wQQoFEnts48KGzv3gWbtKpdyr94UUFMU+OqyVFnMck
         Xxz3Zsgfg7C9ICnWW/JgS9WDw8Vugr9o2CI/IPJJLTlzZoHvc1jqf5F883/JfdZ1ECQr
         bzIESikqDXoQuXwZE5JK4OALLdc1MlaUl9HX0b5W9PgaCjt6gWmnfX/pdtDtoMkIWbHI
         c/YFbbu7ZwsvI0NHXNxboma7qsWJmx0zKSPr6cC6C0pC0C845IwmMxXPmN1IhvmP1koH
         VUIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=U4EKtO8Lt7LtImVbYr492MAgae5N97F7gOgi1ky7qcA=;
        b=RE+k2gU6nuIhYxAeDWyhQHYxVyGV6BIzDFpvMJJCMUtCXWhGtOGrBPHNiPoDQGFO7G
         CNjCT0KOJoQCEq19/2myBEbVZa1zP5wHMFuagT0411HYB/ZNzLBSyFhGuapA02fJwd1C
         qX0PCMwGzFjqg4jOhxvRNOLdZYDGM56Wkw0/ErbvgeBJmV9vPntrspcAnls8+vnzxh1k
         FYNNgJghs4c5H5PaQ5PEq2/CPx7ZzPAeA9VQ1Sj21fE7EK82jp8y3Dq8HWAPeFhKpfnd
         dGoV6ZD/e9Y2upr5d4Iu9IEGKKsFrgO6pLSC20DCgIFyPH2z4mFZAZBphf3JYAdRtVJr
         UYRw==
X-Gm-Message-State: APjAAAURahk6HQjf59wWOjweG9hOo8/eveEDuSYzzjQuxE/BBitZemsQ
        4XbYhw/63OzqsCCq73Hn17NoS+KFSR14o/LRUn2SWw==
X-Received: by 2002:a02:76c2:: with SMTP id z185mr966343jab.102.1551395596607;
 Thu, 28 Feb 2019 15:13:16 -0800 (PST)
MIME-Version: 1.0
References: <CACdnJuvW47m3JvEcuEX1bsr+L2Ht9LDn_iCuPbHLOoaohOFW4Q@mail.gmail.com>
 <1551392438.10911.227.camel@linux.ibm.com>
In-Reply-To: <1551392438.10911.227.camel@linux.ibm.com>
From:   Matthew Garrett <mjg59@google.com>
Date:   Thu, 28 Feb 2019 15:13:05 -0800
Message-ID: <CACdnJuvwnh0PKr5jUTm2h=P5-u-oLgBjvThX+DxcegShXReCdA@mail.gmail.com>
Subject: Re: [PULL REQUEST] Lock down patches
To:     Mimi Zohar <zohar@linux.ibm.com>
Cc:     jmorris@namei.org,
        LSM List <linux-security-module@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        David Howells <dhowells@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Feb 28, 2019 at 2:20 PM Mimi Zohar <zohar@linux.ibm.com> wrote:
> On Thu, 2019-02-28 at 13:28 -0800, Matthew Garrett wrote:
> > This PR is mostly the same as the previous attempt, but with the
> > following changes:
>
> Where/when was this latest version of the patches posted?

They should have followed this, but git-send-email choked on some
reviewed-by: lines so I'm just trying to sort that out.

> >
> > 1) The integration between EFI secure boot and the lockdown state has
> > been removed
> > 2) A new CONFIG_KERNEL_LOCK_DOWN_FORCE kconfig option has been added,
> > which will always enable lockdown regardless of the kernel command
> > line
> > 3) The integration with IMA has been dropped for now. Requiring the
> > use of the IMA secure boot policy when lockdown is enabled isn't
> > practical for most distributions at the moment, as there's still not a
> > great deal of infrastructure for shipping packages with appropriate
> > IMA signatures, and it makes it complicated for end users to manage
> > custom IMA policies.
>
> I'm all in favor of dropping the original attempt to coordinate
> between the kexec PE and IMA kernel image signatures and the kernel
> appended and IMA modules signatures, but there has been quite a bit of
> work recently coordinating the different types of signatures.
>
> Preventing systems which do use IMA for signature verification, should
> not limit their ability to enable "lock down".  Does this version of
> the "lock down" patches coordinate the different kexec kernel image
> and kernel module signature verification methods?

It's a little more complicated than this. We can't just rely on IMA
appraisal - it has to be based on digital signatures, and the existing
patch only made that implicit by enabling the secure_boot policy. I
think we do want to integrate these, but there's a few things we need
to take into account:

1) An integrated solution can't depend on xattrs, both because of the
lagging support for distributing those signatures but also because we
need to support filesystems that don't support xattrs
2) An integrated solution can't depend on the current secure_boot
policy because that requires signed IMA policy updates, but
distributions have no way of knowing what IMA policy end users require

In any case, I do agree that we should aim to make this more
reasonable - having orthogonal signing code doesn't benefit anyone.
Once there's solid agreement on that we can extend this support.