From: Greg KH <gregkh@linuxfoundation.org>
To: David Howells <dhowells@redhat.com>
Cc: linux-kernel@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
minyard@acm.org
Subject: Re: [PATCH 01/39] Annotate module params that specify hardware parameters (eg. ioport)
Date: Thu, 1 Dec 2016 16:01:35 +0100 [thread overview]
Message-ID: <20161201150135.GA10317@kroah.com> (raw)
In-Reply-To: <148059538747.31612.8974972913601108271.stgit@warthog.procyon.org.uk>
On Thu, Dec 01, 2016 at 12:29:47PM +0000, David Howells wrote:
> Provided an annotation for module parameters that specify hardware
> parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
> dma buffers and other types).
>
> This will enable such parameters to be locked down in the core parameter
> parser for secure boot support.
ick ick ick.
First off, this "secure boot support" massive patchset has not gone
anywhere yet, so why do this now? Also, I think Alan's comment about it
the last time it came up was more like a "look at all of the other ways
you could do bad things to hardware!" comment, not a "you need to also
do this thing too!" type of request.
I certianly do not see how this makes anything "more secure" at all.
And I thought the last time this came up, Linus also objected to it,
which is why the patchset never went anywhere.
Secure boot is a trust that the previous boot process is now booting
your image that it feels is secure (with various levels of "secure").
It is not about "lock things down so no one can ever touch the hardware
through different options, except through random logic[1] that we
somehow trust "more" than configuration options.
So, what are you really trying to "block" here? The ability for someone
to set an i/o port value? why? Why does it matter what root sets for
an irq? For a dma buffer? For anything else? What is preventing this
going to "secure" somehow?
Overall, I really don't like this, and honestly, don't like the whole
"secure boot" patchset either, as it is really a lot of work for
absolutely no gain that I can see. Who is "asking" for this type of
thing, and what are their specific requirements?
thanks,
greg k-h
[1] Really, do you trust random driver writers to get things more
"correct" than allowing people to get their hardware to work
properly with module parameters? I know driver writers, and really,
I trust users more than them...
next prev parent reply other threads:[~2016-12-01 15:01 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-01 12:29 [PATCH 00/39] Annotate hw config module params for future lockdown David Howells
2016-12-01 12:29 ` [PATCH 01/39] Annotate module params that specify hardware parameters (eg. ioport) David Howells
2016-12-01 15:01 ` Greg KH [this message]
2016-12-01 16:02 ` David Howells
2016-12-05 21:12 ` One Thousand Gnomes
2016-12-06 7:11 ` Greg KH
2016-12-06 10:42 ` David Howells
2016-12-06 10:50 ` Greg KH
2016-12-02 3:07 ` Matthew Garrett
2016-12-02 6:55 ` Greg KH
2016-12-02 7:12 ` Matthew Garrett
2016-12-05 21:26 ` One Thousand Gnomes
2016-12-02 14:59 ` David Howells
2016-12-05 15:47 ` Greg KH
2016-12-06 10:54 ` David Howells
2016-12-01 12:29 ` [PATCH 02/39] Annotate hardware config module parameters in arch/x86/mm/ David Howells
2016-12-01 12:30 ` [PATCH 03/39] Annotate hardware config module parameters in drivers/char/ipmi/ David Howells
2016-12-01 13:14 ` Corey Minyard
2016-12-01 12:30 ` [PATCH 04/39] Annotate hardware config module parameters in drivers/char/mwave/ David Howells
2016-12-01 12:30 ` [PATCH 05/39] Annotate hardware config module parameters in drivers/char/ David Howells
2016-12-01 12:30 ` [PATCH 06/39] Annotate hardware config module parameters in drivers/clocksource/ David Howells
2016-12-01 12:30 ` [PATCH 07/39] Annotate hardware config module parameters in drivers/cpufreq/ David Howells
2016-12-01 14:02 ` Rafael J. Wysocki
2016-12-01 14:19 ` David Howells
2016-12-01 14:21 ` Rafael J. Wysocki
2016-12-01 12:30 ` [PATCH 08/39] Annotate hardware config module parameters in drivers/gpio/ David Howells
2016-12-01 13:49 ` William Breathitt Gray
2016-12-02 12:55 ` Linus Walleij
2016-12-01 12:30 ` [PATCH 09/39] Annotate hardware config module parameters in drivers/i2c/ David Howells
2016-12-01 13:47 ` Jean Delvare
2016-12-01 14:12 ` David Howells
2016-12-01 16:06 ` Jean Delvare
2016-12-05 21:09 ` One Thousand Gnomes
2016-12-01 12:30 ` [PATCH 10/39] Annotate hardware config module parameters in drivers/iio/ David Howells
2016-12-01 13:50 ` William Breathitt Gray
2016-12-03 9:05 ` Jonathan Cameron
2016-12-07 13:43 ` David Howells
2016-12-07 13:43 ` David Howells
2016-12-01 12:31 ` [PATCH 11/39] Annotate hardware config module parameters in drivers/input/ David Howells
2016-12-03 18:51 ` Dmitry Torokhov
2016-12-01 12:31 ` [PATCH 12/39] Annotate hardware config module parameters in drivers/isdn/ David Howells
2016-12-01 12:31 ` [PATCH 13/39] Annotate hardware config module parameters in drivers/media/ David Howells
2016-12-01 12:31 ` [PATCH 14/39] Annotate hardware config module parameters in drivers/misc/ David Howells
2016-12-01 12:31 ` [PATCH 15/39] Annotate hardware config module parameters in drivers/mmc/host/ David Howells
2016-12-01 12:31 ` [PATCH 16/39] Annotate hardware config module parameters in drivers/net/appletalk/ David Howells
2016-12-01 12:31 ` [PATCH 17/39] Annotate hardware config module parameters in drivers/net/arcnet/ David Howells
2016-12-01 12:32 ` [PATCH 18/39] Annotate hardware config module parameters in drivers/net/can/ David Howells
2016-12-01 13:05 ` Marc Kleine-Budde
2016-12-01 12:32 ` [PATCH 19/39] Annotate hardware config module parameters in drivers/net/ethernet/ David Howells
2016-12-01 12:32 ` [PATCH 20/39] Annotate hardware config module parameters in drivers/net/hamradio/ David Howells
2016-12-01 16:07 ` David Ranch
2016-12-01 12:32 ` [PATCH 21/39] Annotate hardware config module parameters in drivers/net/irda/ David Howells
2016-12-01 12:32 ` [PATCH 22/39] Annotate hardware config module parameters in drivers/net/wan/ David Howells
2016-12-01 12:32 ` [PATCH 23/39] Annotate hardware config module parameters in drivers/net/wireless/ David Howells
2016-12-02 5:04 ` Kalle Valo
2016-12-07 13:45 ` David Howells
2016-12-01 12:32 ` [PATCH 24/39] Annotate hardware config module parameters in drivers/parport/ David Howells
2016-12-01 12:32 ` [PATCH 25/39] Annotate hardware config module parameters in drivers/pci/hotplug/ David Howells
2016-12-07 18:34 ` Bjorn Helgaas
2016-12-01 12:33 ` [PATCH 26/39] Annotate hardware config module parameters in drivers/pcmcia/ David Howells
2016-12-01 12:33 ` [PATCH 27/39] Annotate hardware config module parameters in drivers/scsi/ David Howells
2016-12-01 22:05 ` Finn Thain
2017-04-05 14:33 ` David Howells
2017-04-05 14:33 ` David Howells
2016-12-01 12:33 ` [PATCH 28/39] Annotate hardware config module parameters in drivers/staging/i4l/ David Howells
2016-12-01 12:33 ` [PATCH 29/39] Annotate hardware config module parameters in drivers/staging/media/ David Howells
2016-12-01 14:54 ` Mauro Carvalho Chehab
2016-12-01 14:59 ` David Howells
2016-12-01 15:17 ` Mauro Carvalho Chehab
2016-12-01 12:33 ` [PATCH 30/39] Annotate hardware config module parameters in drivers/staging/speakup/ David Howells
2016-12-01 12:33 ` [PATCH 31/39] Annotate hardware config module parameters in drivers/staging/vme/ David Howells
2016-12-01 12:33 ` [PATCH 32/39] Annotate hardware config module parameters in drivers/tty/ David Howells
2016-12-01 15:02 ` Greg Kroah-Hartman
2016-12-01 12:34 ` [PATCH 33/39] Annotate hardware config module parameters in drivers/video/ David Howells
2016-12-01 12:34 ` [PATCH 34/39] Annotate hardware config module parameters in drivers/watchdog/ David Howells
2016-12-01 12:58 ` Guenter Roeck
2016-12-01 12:34 ` [PATCH 35/39] Annotate hardware config module parameters in fs/pstore/ David Howells
2016-12-01 12:34 ` [PATCH 36/39] Annotate hardware config module parameters in sound/drivers/ David Howells
2016-12-01 12:34 ` [PATCH 37/39] Annotate hardware config module parameters in sound/isa/ David Howells
2016-12-01 12:34 ` [PATCH 38/39] Annotate hardware config module parameters in sound/oss/ David Howells
2016-12-01 12:34 ` [PATCH 39/39] Annotate hardware config module parameters in sound/pci/ David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161201150135.GA10317@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=minyard@acm.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.