From: Jarkko Sakkinen <jarkko@kernel.org>
To: Lennart Poettering <mzxreary@0pointer.de>
Cc: lee joey <joeyli.kernel@gmail.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, joeyli <jlee@suse.com>
Subject: Re: [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled"
Date: Sat, 22 Mar 2025 23:24:57 +0200 [thread overview]
Message-ID: <Z98qqSoZ-ZkVa1qv@kernel.org> (raw)
In-Reply-To: <Z90l26ADmS87tu0k@gardel-login>
On Fri, Mar 21, 2025 at 09:39:55AM +0100, Lennart Poettering wrote:
> On Fr, 21.03.25 15:13, lee joey (joeyli.kernel@gmail.com) wrote:
>
> > Hi Lennart,
> >
> > Lennart Poettering <mzxreary@0pointer.de> 於 2025年3月20日 週四 下午8:02寫道:
> > >
> > > This reverts commit 92ad19559ea9a8ec6f158480934ae26ebfe2c14f.
> > >
> > > This original commit this reverts creates a strange situation: it
> > > ensures more restrictive behaviour if SecureBoot is off then when it
> > > is on, which is the opposite of what one would expect.
> > >
> > > Typically, one would expect that if SB is off the validation of
> > > resources during the pre-kernel and kernel initialization is less
> > > restrictive, not more restrictive. But this check turned the world on
> > > its head.
> > >
> >
> > SB off means that the chain of trust is broken. Which means that all
> > mechanisms rely on SB are non-secure. Meanwhile, if the integrity of kernel
> > can be guaranteed by other mechanism (e.g. TPM), then mok should not
> > be loaded when SB off.
>
> Why not? as you say, chain of trust is broken: the kernel itself is
> not immediately integrity protected and neither is the firmware. Hence
> filtering out keys in this case is really pointless.
The way I look at this is that unless there is an actual threat scenario
that we protect against by hiding MOK keys, then we should not hide
those keys.
Since I don't find any threat scenarios my reviewed-by holds. Pointless
checks is security by obfuscation, which is not really security.
BR, Jarkko
next prev parent reply other threads:[~2025-03-22 21:25 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 12:02 [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled" Lennart Poettering
2025-03-20 14:52 ` Jarkko Sakkinen
2025-03-21 7:13 ` lee joey
2025-03-21 8:39 ` Lennart Poettering
2025-03-22 21:24 ` Jarkko Sakkinen [this message]
2025-03-21 13:19 ` James Bottomley
2025-07-03 1:40 ` Mimi Zohar
2025-07-03 7:18 ` Lennart Poettering
2025-07-03 11:23 ` Mimi Zohar
2025-07-03 13:04 ` Lennart Poettering
2025-07-03 23:56 ` Mimi Zohar
2025-07-04 7:34 ` Lennart Poettering
2025-07-08 20:52 ` Mimi Zohar
2025-07-04 1:30 ` GONG Ruiqi
2025-07-04 7:47 ` Lennart Poettering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z98qqSoZ-ZkVa1qv@kernel.org \
--to=jarkko@kernel.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mzxreary@0pointer.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.