From: Matthew Garrett <matthew.garrett@nebula.com>
To: "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jmorris@namei.org" <jmorris@namei.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"jwboyer@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Fri, 14 Mar 2014 22:52:56 +0000 [thread overview]
Message-ID: <1394837576.1286.27.camel@x230> (raw)
In-Reply-To: <20140314223150.0b49723e@alan.etchedpixels.co.uk>
On Fri, 2014-03-14 at 22:31 +0000, One Thousand Gnomes wrote:
> On Fri, 14 Mar 2014 22:15:45 +0000
> Matthew Garrett <matthew.garrett@nebula.com> wrote:
> > The general problem includes having to support this even without an
> > selinux policy.
>
> Yes. No dispute about that. But equally the general solution should allow
> for it.
Well, sure. The current implementation doesn't conflict with selinux in
any way.
> > some other way. ChromeOS will load unmeasured kernel modules provided it
> > can attest to the trustworthyness of the filesystem containing them.
>
> See "How to Bypass Verified Boot Security in Chromium OS" 8)
>
> And it attests the trustworthiness of the filesystem by measuring it. If
> you have a measurement of object X that states it is unchanged then you
> have a valid measurement of any subset of object X for which the same
> assertion is proven. In this case since you know all the bits in the root
> fs are as before, so you know all the bits in the module are as before
You may attest to the trustworthiness of a filesystem by measuring it,
but you may also attest to it via some other means - for instance, it's
read-only and stored on media that requires physical presence to
modify.
--
Matthew Garrett <matthew.garrett@nebula.com>
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Garrett <matthew.garrett@nebula.com>
To: "gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jmorris@namei.org" <jmorris@namei.org>,
"keescook@chromium.org" <keescook@chromium.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"jwboyer@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Fri, 14 Mar 2014 22:52:56 +0000 [thread overview]
Message-ID: <1394837576.1286.27.camel@x230> (raw)
In-Reply-To: <20140314223150.0b49723e@alan.etchedpixels.co.uk>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1434 bytes --]
On Fri, 2014-03-14 at 22:31 +0000, One Thousand Gnomes wrote:
> On Fri, 14 Mar 2014 22:15:45 +0000
> Matthew Garrett <matthew.garrett@nebula.com> wrote:
> > The general problem includes having to support this even without an
> > selinux policy.
>
> Yes. No dispute about that. But equally the general solution should allow
> for it.
Well, sure. The current implementation doesn't conflict with selinux in
any way.
> > some other way. ChromeOS will load unmeasured kernel modules provided it
> > can attest to the trustworthyness of the filesystem containing them.
>
> See "How to Bypass Verified Boot Security in Chromium OS" 8)
>
> And it attests the trustworthiness of the filesystem by measuring it. If
> you have a measurement of object X that states it is unchanged then you
> have a valid measurement of any subset of object X for which the same
> assertion is proven. In this case since you know all the bits in the root
> fs are as before, so you know all the bits in the module are as before
You may attest to the trustworthiness of a filesystem by measuring it,
but you may also attest to it via some other means - for instance, it's
read-only and stored on media that requires physical presence to
modify.
--
Matthew Garrett <matthew.garrett@nebula.com>
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(階ŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥
next prev parent reply other threads:[~2014-03-14 22:52 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
[not found] ` <1393445473-15068-2-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2014-02-27 19:02 ` Kees Cook
2014-02-27 19:02 ` Kees Cook
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
[not found] ` <CAGXu5j+b49grru-=DTRC0wx5LTOHN_jKL0Q++uW0Mzy+BxDf4w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-26 22:21 ` One Thousand Gnomes
2014-02-27 9:54 ` Alon Ziv
2014-03-19 17:42 ` Florian Weimer
2014-03-19 17:42 ` Florian Weimer
[not found] ` <1393445473-15068-1-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 20:11 ` Matthew Garrett
[not found] ` <1393445473-15068-13-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
2014-02-27 18:04 ` Trusted kernel patchset for Secure Boot lockdown Josh Boyer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07 ` Greg KH
[not found] ` <20140227190710.GA4755-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2014-02-27 19:11 ` Josh Boyer
2014-02-27 19:11 ` Josh Boyer
2014-02-28 12:50 ` Josh Boyer
2014-02-28 3:03 ` James Morris
[not found] ` <alpine.LRH.2.02.1402281402090.26521-CK9fWmtY32x9JUWOpEiw7w@public.gmane.org>
2014-02-28 4:52 ` Matthew Garrett
2014-02-28 4:52 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 6:22 ` Kees Cook
2014-03-13 6:22 ` Kees Cook
2014-03-13 9:33 ` James Morris
2014-03-13 10:12 ` One Thousand Gnomes
[not found] ` <20140313101235.753c3ec0-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:28 ` H. Peter Anvin
[not found] ` <532222E1.2020405-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:32 ` Matthew Garrett
[not found] ` <20140313212450.67f1de8e-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 23:21 ` One Thousand Gnomes
[not found] ` <20140313232140.03bdaac3-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 1:57 ` Matthew Garrett
[not found] ` <1394762250.6416.24.camel-+5W/JHIUVxg@public.gmane.org>
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:22 ` One Thousand Gnomes
[not found] ` <20140314122231.17b9ca8a-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:54 ` Kees Cook
[not found] ` <CAGXu5j+3vVKhFPOsArYddA+QqhvVUunj8eYOF799rDv=3MGtyg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 15:58 ` Matthew Garrett
[not found] ` <CAGXu5jLZcWh5WD0L8s3Q-GXdXCMnA57qtjfdFfQbv0fxYcuCTQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 18:11 ` Matthew Garrett
[not found] ` <1394820664.26846.18.camel-OCPKQ0O/skbnpfJQjCtNlyaZ0x2G8ZQoAL8bYrjMMd8@public.gmane.org>
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 20:37 ` David Lang
2014-03-14 20:37 ` David Lang
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 21:58 ` One Thousand Gnomes
[not found] ` <20140314215854.50ec186a-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:08 ` One Thousand Gnomes
[not found] ` <20140314220840.29a12171-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:52 ` Matthew Garrett [this message]
2014-03-14 22:52 ` Matthew Garrett
[not found] ` <20140314223150.0b49723e-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-19 19:50 ` Kees Cook
2014-03-19 19:50 ` Kees Cook
2014-03-14 23:18 ` Theodore Ts'o
2014-03-15 0:15 ` One Thousand Gnomes
[not found] ` <20140314231832.GA653-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-03-19 17:49 ` Florian Weimer
2014-03-19 17:49 ` Florian Weimer
2014-03-19 20:16 ` Kees Cook
2014-03-19 20:16 ` Kees Cook
[not found] ` <CAGXu5j+JXy4EbHxu+8twWo=3gqyLJ6hZGPbgsdf3t8YhUA-bWw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:55 ` tytso
[not found] ` <20140320145507.GB20618-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
[not found] ` <20140313212647.7412aadf-mUKnrFFms3BCCTY1wZZT65JpZx93mCW/@public.gmane.org>
2014-03-13 21:31 ` Matthew Garrett
2014-03-13 21:31 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1394837576.1286.27.camel@x230 \
--to=matthew.garrett@nebula.com \
--cc=akpm@linux-foundation.org \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.