Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2159104ybc;
        Wed, 20 Nov 2019 09:44:27 -0800 (PST)
X-Google-Smtp-Source: APXvYqx3SR//ONnw9puK7mOSGS9QyOdEU7AogVSTSk8OXZS7VB619xmMI8ZWvZQdssN9k3u/8q8i
X-Received: by 2002:a17:906:938c:: with SMTP id l12mr6678324ejx.135.1574271867205;
        Wed, 20 Nov 2019 09:44:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574271867; cv=none;
        d=google.com; s=arc-20160816;
        b=ph/pFEt35jP6XqggZPeFsRtBf9YA3WenBTiwXmOxJzimTH8eLMfnJ3dm05trmrw0Oo
         nYfNlvWL/+N7IytmHQPFKi9NCHdu9B2McaF+rwjGvZOzn6MfgF/lxmHY5q6oFaayrslH
         o/RaaN+hzXAK+IaBJN5siHYQ1vV2YDeGgKPJ1PO4K9SqaiTG4uJl1lltcKiL8yEPrwEF
         yVnW+ZZA50vf+bAbGzSyAJOWT/AFSmk+/qxXi3yLJ5sGWUfkKC8sNGg7oD5+TaR/rDbR
         JIkWVcdHbTdb0gQpJZ4ILiUIn/HRpn7DBzRDzTSFCF4ELbOaKHoojk/HSjFysv2qlCKS
         fvvg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:organization:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=e4VbXFK+3LL/aXnK3+d+KbMgyPmGzG4EyVNX3YB6JZs=;
        b=kLK7QeGha6BZ1O1CSpJ7Zs0vnskkwypkMLsQtKgcXVW750ujda8VJ/iJ59sp5uf/In
         V4kXN86HaSVSSYhzhQ608PmWU96GDTWv2k3spne8Qgl+q6omiOohIvguE1OaVl+Vs5I/
         qduusH6obkD/LufPLHG6B0XJBHYwZjbt0oTqrXlFZfaCwK1RvNK2DjzMLfykgejYk0aS
         ZAoa0QmHyYGauJr0ebMH8bvufL9fMFJuLU+O4v/hbhsMkrzvaCJ+TjulWYAQ5zvV7KnW
         HdyJUSquEg5V0FLWKMS6mm88oNRncpZnNI7yh9VN1o7CC2pa1g2d022SgS/JdOvo0ccI
         lL6w==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v11si16142599ejw.30.2019.11.20.09.44.02;
        Wed, 20 Nov 2019 09:44:27 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727998AbfKTRnG (ORCPT <rfc822;rao.subba.venkata@gmail.com>
        + 99 others); Wed, 20 Nov 2019 12:43:06 -0500
Received: from mga17.intel.com ([192.55.52.151]:8323 "EHLO mga17.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726675AbfKTRnG (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 20 Nov 2019 12:43:06 -0500
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2019 09:43:05 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.69,222,1571727600"; 
   d="scan'208";a="215872717"
Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.163])
  by fmsmga001.fm.intel.com with SMTP; 20 Nov 2019 09:43:02 -0800
Received: by lahna (sSMTP sendmail emulation); Wed, 20 Nov 2019 19:43:01 +0200
Date:   Wed, 20 Nov 2019 19:43:01 +0200
From:   Mika Westerberg <mika.westerberg@linux.intel.com>
To:     Yehezkel Bernat <yehezkelshb@gmail.com>
Cc:     Mario Limonciello <Mario.Limonciello@dell.com>,
        pmenzel@molgen.mpg.de, Andreas Noever <andreas.noever@gmail.com>,
        Michael Jamet <michael.jamet@intel.com>, ck@xatom.net,
        LKML <linux-kernel@vger.kernel.org>,
        Anthony Wong <anthony.wong@canonical.com>
Subject: Re: USB devices on Dell TB16 dock stop working after resuming
Message-ID: <20191120174301.GO11621@lahna.fi.intel.com>
References: <20191104154446.GH2552@lahna.fi.intel.com>
 <ea829adedf0445c0845e25d6e4b47905@AUSX13MPC105.AMER.DELL.COM>
 <d8cb6bc6-8145-eaed-5ba4-d7291478bdd7@molgen.mpg.de>
 <20191104162103.GI2552@lahna.fi.intel.com>
 <f0257624-920e-eec4-a2ec-7adf8ecbcc9d@molgen.mpg.de>
 <20191120105048.GY11621@lahna.fi.intel.com>
 <ccfa5f1a1b5e475aa4ddcbed2297b9c4@AUSX13MPC105.AMER.DELL.COM>
 <20191120152351.GJ11621@lahna.fi.intel.com>
 <90daf5669f064057b3d0da5fc110b3a4@AUSX13MPC105.AMER.DELL.COM>
 <CA+CmpXubOwsradq=ObUF-h6WBpRF3tDx9TqaUO8TeJDqvdeGPg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CA+CmpXubOwsradq=ObUF-h6WBpRF3tDx9TqaUO8TeJDqvdeGPg@mail.gmail.com>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
User-Agent: Mutt/1.12.1 (2019-06-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 20, 2019 at 07:16:58PM +0200, Yehezkel Bernat wrote:
> On Wed, Nov 20, 2019 at 7:06 PM <Mario.Limonciello@dell.com> wrote:
> >
> >
> > But I mean this is generally an unsafe (but convenient) option, it means that you
> > throw out security pre-boot, and all someone needs to do is turn off your machine,
> > plug in a malicious device, turn it on and then they have malicious device all the way
> > into OS.
> 
> Only if the attacker found how to forge the device UUID (and knew what UUIDs
> are allowed), isn't it? Unless you take into account things like
> external GPU box,
> where it's pretty easy to replace the card installed inside it.

No need to forge UUID if you can "borrow" the laptop for a while so that
you boot your own OS there that then updates the Boot ACL with your
malicious device UUIDs. Then you return the laptop and now it suddenly
allows booting from those as well.