From: joeyli <jlee@suse.com>
To: Andy Lutomirski <luto@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Theodore Y. Ts'o" <tytso@mit.edu>,
Matthew Garrett <mjg59@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
James Morris <jmorris@namei.org>,
Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Justin Forbes <jforbes@redhat.com>,
linux-man <linux-man@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
linux-efi <linux-efi@vger.kernel.org>
Subject: Re: An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot)
Date: Thu, 5 Apr 2018 09:45:21 +0800 [thread overview]
Message-ID: <20180405014521.GA7362@linux-l9pv.suse> (raw)
In-Reply-To: <CALCETrUVQLDC6_VEvuAbdCOuGrmcxohqTB6P8eyNojm9AryNkg@mail.gmail.com>
Hi Andy,
On Wed, Apr 04, 2018 at 07:49:12AM -0700, Andy Lutomirski wrote:
> Since this thread has devolved horribly, I'm going to propose a solution.
...
> 6. There's a way to *decrease* the lockdown level below the configured
> value. (This ability itself may be gated by a config option.)
> Choices include a UEFI protected variable, an authenticated flag
> passed by the bootloader, and even just some special flag in the boot
> handoff protocol. It would be really quite useful for a user to be
> able to ask their bootloader to reduce the lockdown level for the
> purpose of a particular boot for debugging. I read the docs on
The "mokutil --disable-validation" done a similar bahvior as above.
Just it lets kernel to ignore the secure boot.
> mokutil --disable-validation, and it's quite messy. Let's have a way
> to do this that is mostly independent of the particular firmware in
> use.
>
Why the disabl-validation is messy?
The mokutil is shim specific but not dependent on particular firmware.
> I can imagine a grub option that decreases lockdown level along with a
> rule that grub will *not* load that option from its config, for
> example.
>
The root can modify the grub config to decrease lockdown level in next
boot without physcial accessing. The mokutil's interactive UI is used
to deal with user to confirm the physcial accessing.
Thanks
Joey Lee
prev parent reply other threads:[~2018-04-05 1:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-04 14:49 An actual suggestion (Re: [GIT PULL] Kernel lockdown for secure boot) Andy Lutomirski
2018-04-04 16:17 ` David Howells
2018-04-04 16:23 ` Jann Horn
2018-04-04 16:36 ` Andy Lutomirski
2018-04-04 22:19 ` David Howells
2018-04-05 1:48 ` joeyli
2018-04-04 23:25 ` James Morris
2018-04-05 0:22 ` Matthew Garrett
2018-04-05 2:16 ` joeyli
2018-04-05 14:01 ` Mimi Zohar
2018-04-05 16:11 ` jlee
2018-04-05 1:45 ` joeyli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180405014521.GA7362@linux-l9pv.suse \
--to=jlee@suse.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jforbes@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mjg59@google.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).