Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp5393216imb; Thu, 7 Mar 2019 14:47:01 -0800 (PST) X-Google-Smtp-Source: APXvYqwb9lCyOpc4PO2l5VvBz+rhgGztHrfiONcOlhJfXpQ4lClKZb7ZvVwzGXNJ/VoIlNVI1ptb X-Received: by 2002:a62:6046:: with SMTP id u67mr15258103pfb.46.1551998821296; Thu, 07 Mar 2019 14:47:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551998821; cv=none; d=google.com; s=arc-20160816; b=WgONkkDY+b9V4DOiBY3UDUMfNWD51WmB2iwV+Rohn4FLEPKZUV4NFin9HrF+dSDjzG A4MlY3pmxjnpJrwBYCaEZ1oBQb9vODtg3icMVju/1E/i2a7ucTF4hoTVXk8rV33kWc5o Wwm3+8oPXwKKbZAPT+tvn2FUZ7dQOYROHnkNdRdvW93vSio5uQNSzbUmR/yUSZGwyqUK QlN4xnMNA7g4rd5TDM0usSUxRpKS9pDeH9cqW1HQQCdIm18Ib6C455KWE+9I1/b86Lwx PmVLkmVK+DxZEd+EF6oV3f7vahLUOD7X2KOAR3RzPTGn62aD0oIg6T9UrWT+qTS1Myt+ nNtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=dL0oQyirigKR6oGf/iM33KH9tMR7ax1RdceqBX6W0Yg=; b=tGEZV8PjEEtTZ10/MbhWPNNNfkYNlR+1CmapYc7BT+Bi7dIy8jNgzOyb24yDAffQAR Z4MCVtttHsfO6nKAch9J/ZW1dcpLxjX/DPgs1eAIV3Uyc2eR8XiF2yqvR5hVHtg2S00Y ZqIbWS4GefMvdOMJ5u6dYVOb5JUF4KT82ICcA8uvXaUpwy0FA3nAGyMTrtNpKO18jAUv 3HRzgt3Cma0jJBMrBseYqDDOF3qBjddYMviPTkEKDA2/ob5hXp7jmShAVtcb2Ow0ih/C ZjEOMzSFVl46n2c8dsGKVJAdFOnbCPfcPC9H5JqqU6OdyT1GdlSCLPeH5qz7hZS8/mB+ 9ufA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Qbe1O5en; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n189si3093527pga.46.2019.03.07.14.46.45; Thu, 07 Mar 2019 14:47:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=Qbe1O5en; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726297AbfCGWqC (ORCPT + 99 others); Thu, 7 Mar 2019 17:46:02 -0500 Received: from mail-it1-f195.google.com ([209.85.166.195]:55641 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726254AbfCGWqB (ORCPT ); Thu, 7 Mar 2019 17:46:01 -0500 Received: by mail-it1-f195.google.com with SMTP id z131so18010240itf.5 for ; Thu, 07 Mar 2019 14:46:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dL0oQyirigKR6oGf/iM33KH9tMR7ax1RdceqBX6W0Yg=; b=Qbe1O5enm9f/oX6W1DZHIwBZdod3K9wsXX+c9xwlQnG2F3GclO/tCVXnMewtK5QklN nHPOxXP8ArIPX3IYLVJnS/vRoq8K/OrAu0+L9MDuUnUzSZRjm1mgiNlwSarsDXdv93ph gFn1Zw8KT3KlMX1g5ZGrmGX54ojLqR21whoRBpxmuqMlz2vpxcfPK3Wv7AV4NGk1FBn6 BvW5LU02/HCkNoWWfwc/EvU6DidDh0Q2cqxR6vPU747rHIqhx9ZNAo5GBwYuwfIi65MO c9CQi+IlBteHDNoVWoBNhxHn2N8PGlL6hPWwfvWvPWZU2t1qun3AgV6fOOCrBdA3DCxt HBsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dL0oQyirigKR6oGf/iM33KH9tMR7ax1RdceqBX6W0Yg=; b=TQiJxJQtqQ2hR27lzZM7YZOjKkAjnylgT1+tj5//c7y7y3Sn7UWCauj57Pif9BUhMW ZB5uoo50ulUMVF+ALDwJmmnucQ6ac8vs4JnU8oGa38lH0a/IYqf/UpuH5+b0Ms0y9hZR K60N7/trEtWr0tQQGcxwxmZKiYIAG/UbuNL5FSnoK03XK5LO6LGMhHYZdrAqEhifo063 sj6OU2f2+XaZ/058/wCIsVKdehoToLnnMORgPEBZNMk49QHW78AXBb4KysYDor4J5eqH FRMj0mjjtXmtN+vv5pJhf1QTvpBdT64w5XW23463sYBNmCsXruZCIsyPzaPZEHcjWafl T7lw== X-Gm-Message-State: APjAAAXEkPtQQDzQBBIWzG6GaWa7KxOMmrEtTrKugichZhZgIPO70wtv zvzhaw+UorWzJ35Ah634kTd9RHizG/s5GUZeohx4kQ== X-Received: by 2002:a24:7908:: with SMTP id z8mr7185538itc.16.1551998760501; Thu, 07 Mar 2019 14:46:00 -0800 (PST) MIME-Version: 1.0 References: <1550060279-8624-1-git-send-email-zohar@linux.ibm.com> <1551998075.31706.455.camel@linux.ibm.com> <1551998498.31706.458.camel@linux.ibm.com> In-Reply-To: <1551998498.31706.458.camel@linux.ibm.com> From: Matthew Garrett Date: Thu, 7 Mar 2019 14:45:49 -0800 Message-ID: Subject: Re: [PATCH v2] x86/ima: require signed kernel modules To: Mimi Zohar Cc: linux-integrity , LSM List , Linux Kernel Mailing List , Jessica Yu , Luis Chamberlain , David Howells , Seth Forshee , "Bruno E . O . Meneguele" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 7, 2019 at 2:41 PM Mimi Zohar wrote: > On Thu, 2019-03-07 at 14:36 -0800, Matthew Garrett wrote: > > Right, but how is this different to what Linus was objecting to? > > Both Andy Lutomirski and Linus objected to limiting the "lockdown" > patch set to secure boot enabled systems. No, Linus objected to it being automatically enabled when secure boot was enabled. It was always possible to enable it at boot on any platform.