Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5392579imb; Thu, 7 Mar 2019 14:45:45 -0800 (PST) X-Google-Smtp-Source: APXvYqz0m/k7ujFHHTvqor5d+fmVbS66XTOB7994lz0RZgH/L98LfifqsKAW0Wws1Q+RYJ5YqLFe X-Received: by 2002:a63:790:: with SMTP id 138mr2004954pgh.253.1551998744987; Thu, 07 Mar 2019 14:45:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551998744; cv=none; d=google.com; s=arc-20160816; b=IXbnQXuISOfuLnpvtFUzLAgqeLvnH8ZBjbHi27SQe30nKTKzNIyjmzgREeC2igMJgK rMTpzUNUmwPfVwLCaBAQHSNcJ/ZggetGP0vCB7JQFfuGcqUgs2e8ITlQI5x3XZKptC2G RvjnXxruAGnZc1Hk93PsIArRs4lcrgYwxbQbTxci/2gVod09NO+7U1NCZQIR//dHQBPw Cy/GS7Yel4Qjtg9QO3fQ8hXa03kTa2Xfg7rDqGfi6IKifJ6bZ06y0NIB5VidprI4GNPJ 0ESAdTig7fSZyWV89g2nl4phRpiW4n9Jldqh7uH3kOZYBfXGSNEdSKaLpprCdxivixTe enPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WUkXYdmUF5bhjjVVeLEZ9T0FeGUBv2MITzRaC3GTEaA=; b=iz2etCHGjrBz0hP1PS6YNy31KuLD3jdqiGUn6wLWed//BR5+b6QWFMrMYuiUZoxXLq TYknAkYB6gOnl756hIwilxdyGW9AA8+DazdCsPDvwJx9kI8wF9b0xiRjlQkH1I/tkltf ACdZtZUT3UPzEi1DUjDn1KD2VxUHDhFy8f1rDzteC0m+skqMmCUrPLFEpuexT/xxXREL YSsMNMqMFYUXQ6waxWy4+EYdLYdrzCpG55q/Exrj7XYlc+HgmwJB1RgC3QDZA/71eoV7 P8GkEUJbHO0W492AfCwpLGJJhRUysKXG0O160whTdmK51eS6t3s/c/m1ZtmvEqcsY6Tz vr3A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=opYSe6cG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n189si3093527pga.46.2019.03.07.14.45.28; Thu, 07 Mar 2019 14:45:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=opYSe6cG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726307AbfCGWpH (ORCPT + 99 others); Thu, 7 Mar 2019 17:45:07 -0500 Received: from mail-it1-f196.google.com ([209.85.166.196]:55518 "EHLO mail-it1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726243AbfCGWpH (ORCPT ); Thu, 7 Mar 2019 17:45:07 -0500 Received: by mail-it1-f196.google.com with SMTP id z131so18006953itf.5 for ; Thu, 07 Mar 2019 14:45:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WUkXYdmUF5bhjjVVeLEZ9T0FeGUBv2MITzRaC3GTEaA=; b=opYSe6cGSKQ4z8YsHOpjV52mfsqJWJK2ydMZUCHqn9UPHf0hj2isAp1cp4LTxqun5/ jpkMv4YBHV+6H5l8sS5XYACzAHqfS9KUJAX5I/OBM9si0CicOXayPVKk5nsNr1+CQrCQ HELGBIofdb6SfAlIfQbf2BtrwlNAHM1ErGY0Q/kJA4UdnkugYuBpA8mSstajXPma2pXn AFhqT8C31p5chZwynlmofeKI1kzosOEsjUv44+CBI6FUnKi4SLVeIcgodVBt7UcYNd03 MdrdCLC/p4zx6yCMn6YqqO+W3L9KgqjPW9ktsHflkg92TnGTX6J74OEuGop8MJ92cWS8 GbBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WUkXYdmUF5bhjjVVeLEZ9T0FeGUBv2MITzRaC3GTEaA=; b=aC9Nm/gTeAY7WTXjbt5Lzh43H4/V2b0IgmRsywCiZYI80uXjI8zzWgk2aWuEPYI1AK OKEdGjeZ+/IWAkFqRico97QRY4YaUFJ9msDCAeEf2SO7Ac8ti1NgBf/lEpCngBCKC0pC EIjYML6r7Xn476K9AHb3L7YADyEAc+0zHUPBq6dIp0AILLExoqvt3e+P0oZAfYHIuN5o Z4thIRL6GKfA+jK45P/b2H3YgRcvct3QOIiXfAXLr3D7Sa8K6Uc2Iaz3PSrgNa5QQWQ3 KQR5zzp5WKbn/Zf4UPPQvuxyT2HBkvfK3JujCAH+61FoYtWLC9VQ3bAsyDWt9XgDPC4o RLxw== X-Gm-Message-State: APjAAAUSuoGWm1isPS9PIeHMvvMsOgQ7T3/TuPi8LaVG0PRc/vFikAiB 3r7qJ7lh6kBKWqwMaXXje10qKGgWETBXHxNVF1BRP771dVs= X-Received: by 2002:a24:43d1:: with SMTP id s200mr6679052itb.118.1551998706101; Thu, 07 Mar 2019 14:45:06 -0800 (PST) MIME-Version: 1.0 References: <1542657371-7019-1-git-send-email-zohar@linux.ibm.com> <1542657371-7019-4-git-send-email-zohar@linux.ibm.com> In-Reply-To: From: Matthew Garrett Date: Thu, 7 Mar 2019 14:44:55 -0800 Message-ID: Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode To: Justin Forbes Cc: Mimi Zohar , linux-integrity , LSM List , linux-efi , Linux Kernel Mailing List , David Howells , Seth Forshee , kexec@lists.infradead.org, Nayna Jain Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 7, 2019 at 2:38 PM Justin Forbes wrote: > On Thu, Mar 7, 2019 at 4:29 PM Matthew Garrett wrote: >> >> On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar wrote: >> > >> > The secure boot mode may not be detected on boot for some reason (eg. >> > buggy firmware). This patch attempts one more time to detect the >> > secure boot mode. >> >> Do we have cases where this has actually been seen? I'm not sure what >> the circumstances are that would result in this behaviour. > > > We have never seen it in practice, though we only ever do anything with it with x86, so it is possible that some other platforms maybe? I'm not sure that it buys us anything to check this in both the boot stub and the running kernel. If a platform *is* giving us different results, anything else relying on the information from the boot stub is also going to be broken, so we should do this centrally rather than in the IMA code.