Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp2159104ybc; Wed, 20 Nov 2019 09:44:27 -0800 (PST) X-Google-Smtp-Source: APXvYqx3SR//ONnw9puK7mOSGS9QyOdEU7AogVSTSk8OXZS7VB619xmMI8ZWvZQdssN9k3u/8q8i X-Received: by 2002:a17:906:938c:: with SMTP id l12mr6678324ejx.135.1574271867205; Wed, 20 Nov 2019 09:44:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574271867; cv=none; d=google.com; s=arc-20160816; b=ph/pFEt35jP6XqggZPeFsRtBf9YA3WenBTiwXmOxJzimTH8eLMfnJ3dm05trmrw0Oo nYfNlvWL/+N7IytmHQPFKi9NCHdu9B2McaF+rwjGvZOzn6MfgF/lxmHY5q6oFaayrslH o/RaaN+hzXAK+IaBJN5siHYQ1vV2YDeGgKPJ1PO4K9SqaiTG4uJl1lltcKiL8yEPrwEF yVnW+ZZA50vf+bAbGzSyAJOWT/AFSmk+/qxXi3yLJ5sGWUfkKC8sNGg7oD5+TaR/rDbR JIkWVcdHbTdb0gQpJZ4ILiUIn/HRpn7DBzRDzTSFCF4ELbOaKHoojk/HSjFysv2qlCKS fvvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organization:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=e4VbXFK+3LL/aXnK3+d+KbMgyPmGzG4EyVNX3YB6JZs=; b=kLK7QeGha6BZ1O1CSpJ7Zs0vnskkwypkMLsQtKgcXVW750ujda8VJ/iJ59sp5uf/In V4kXN86HaSVSSYhzhQ608PmWU96GDTWv2k3spne8Qgl+q6omiOohIvguE1OaVl+Vs5I/ qduusH6obkD/LufPLHG6B0XJBHYwZjbt0oTqrXlFZfaCwK1RvNK2DjzMLfykgejYk0aS ZAoa0QmHyYGauJr0ebMH8bvufL9fMFJuLU+O4v/hbhsMkrzvaCJ+TjulWYAQ5zvV7KnW HdyJUSquEg5V0FLWKMS6mm88oNRncpZnNI7yh9VN1o7CC2pa1g2d022SgS/JdOvo0ccI lL6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si16142599ejw.30.2019.11.20.09.44.02; Wed, 20 Nov 2019 09:44:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727998AbfKTRnG (ORCPT + 99 others); Wed, 20 Nov 2019 12:43:06 -0500 Received: from mga17.intel.com ([192.55.52.151]:8323 "EHLO mga17.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726675AbfKTRnG (ORCPT ); Wed, 20 Nov 2019 12:43:06 -0500 X-Amp-Result: UNKNOWN X-Amp-Original-Verdict: FILE UNKNOWN X-Amp-File-Uploaded: False Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Nov 2019 09:43:05 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,222,1571727600"; d="scan'208";a="215872717" Received: from lahna.fi.intel.com (HELO lahna) ([10.237.72.163]) by fmsmga001.fm.intel.com with SMTP; 20 Nov 2019 09:43:02 -0800 Received: by lahna (sSMTP sendmail emulation); Wed, 20 Nov 2019 19:43:01 +0200 Date: Wed, 20 Nov 2019 19:43:01 +0200 From: Mika Westerberg To: Yehezkel Bernat Cc: Mario Limonciello , pmenzel@molgen.mpg.de, Andreas Noever , Michael Jamet , ck@xatom.net, LKML , Anthony Wong Subject: Re: USB devices on Dell TB16 dock stop working after resuming Message-ID: <20191120174301.GO11621@lahna.fi.intel.com> References: <20191104154446.GH2552@lahna.fi.intel.com> <20191104162103.GI2552@lahna.fi.intel.com> <20191120105048.GY11621@lahna.fi.intel.com> <20191120152351.GJ11621@lahna.fi.intel.com> <90daf5669f064057b3d0da5fc110b3a4@AUSX13MPC105.AMER.DELL.COM> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 20, 2019 at 07:16:58PM +0200, Yehezkel Bernat wrote: > On Wed, Nov 20, 2019 at 7:06 PM wrote: > > > > > > But I mean this is generally an unsafe (but convenient) option, it means that you > > throw out security pre-boot, and all someone needs to do is turn off your machine, > > plug in a malicious device, turn it on and then they have malicious device all the way > > into OS. > > Only if the attacker found how to forge the device UUID (and knew what UUIDs > are allowed), isn't it? Unless you take into account things like > external GPU box, > where it's pretty easy to replace the card installed inside it. No need to forge UUID if you can "borrow" the laptop for a while so that you boot your own OS there that then updates the Boot ACL with your malicious device UUIDs. Then you return the laptop and now it suddenly allows booting from those as well.