From: Andy Lutomirski <luto@kernel.org>
To: Matthew Garrett <mjg59@google.com>
Cc: Andrew Lutomirski <luto@kernel.org>,
David Howells <dhowells@redhat.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
James Morris <jmorris@namei.org>,
Alan Cox <gnomes@lxorguk.ukuu.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Justin Forbes <jforbes@redhat.com>,
linux-man <linux-man@vger.kernel.org>, joeyli <jlee@suse.com>,
LSM List <linux-security-module@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>,
linux-efi <linux-efi@vger.kernel.org>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
Date: Tue, 3 Apr 2018 09:45:41 -0700 [thread overview]
Message-ID: <CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com> (raw)
In-Reply-To: <CACdnJut31+ZtiR40nkOjm89cfUxS0EM=w-oG69PtWHbXYJQxPg@mail.gmail.com>
On Tue, Apr 3, 2018 at 9:29 AM, Matthew Garrett <mjg59@google.com> wrote:
> On Tue, Apr 3, 2018 at 8:11 AM Andy Lutomirski <luto@kernel.org> wrote:
>> Can you explain that much more clearly? I'm asking why booting via
>> UEFI Secure Boot should enable lockdown, and I don't see what this has
>> to do with kexec. And "someone blacklist[ing] your key in the
>> bootloader" sounds like a political issue, not a technical issue.
>
> A kernel that allows users arbitrary access to ring 0 is just an
> overfeatured bootloader. Why would you want secure boot in that case?
To get a chain of trust. I can provision a system with some public
keys, stored in UEFI authenticated variables, such that the system
will only boot a signed image. That signed image, can, in turn, load
a signed (or hashed or otherwise verfified) kernel and a verified
initramfs. The initramfs can run a full system from a verified (using
dm-verity or similar) filesystem, for example. Now it's very hard to
persistently attack this system. Chromium OS does something very much
like this, except that it doesn't use UEFI as far as I know. So does
iOS, and so do some Android versions. None of this requires lockdown,
or even a separation between usermode and kernelmode, to work
correctly. One could even do this on an MMU-less system if one really
cared to. More usefully, someone probably has done this using a
unikernel.
If I had to guess at a motivation that makes this patchset work, it
would be that there is an uneasy truce between Microsoft and the
various vendors of signed Linux bootloaders. That truce could
conceivably require that the signed bootloaders not knowingly ship a
system that allows a non-physically-present user to chainload Windows.
If so, the patchset should say that loud and clear in its description
and the parts that block bpf should go away.
next prev parent reply other threads:[~2018-04-03 16:45 UTC|newest]
Thread overview: 112+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4136.1522452584@warthog.procyon.org.uk>
[not found] ` <alpine.LRH.2.21.1803311145180.7769@namei.org>
2018-04-03 0:37 ` [GIT PULL] Kernel lockdown for secure boot Andy Lutomirski
2018-04-03 0:59 ` Kees Cook
2018-04-03 1:47 ` Andy Lutomirski
2018-04-03 7:06 ` David Howells
2018-04-03 15:11 ` Andy Lutomirski
2018-04-03 15:41 ` Alexei Starovoitov
2018-04-03 16:26 ` Andy Lutomirski
2018-04-03 16:29 ` Matthew Garrett
2018-04-03 16:45 ` Andy Lutomirski [this message]
[not found] ` <CAGXu5j+CyVXEvsMarJjBwaNh7poVZtmit5PGmQM9rKKqZPqVXg@mail.gmail.com>
2018-04-03 19:01 ` Andy Lutomirski
2018-04-03 19:07 ` Kees Cook
2018-04-03 19:29 ` Matthew Garrett
2018-04-03 21:51 ` Andy Lutomirski
2018-04-04 18:42 ` Peter Jones
2018-04-04 20:01 ` Thomas Gleixner
2018-04-04 20:18 ` Matthew Garrett
2018-04-05 18:47 ` Andy Lutomirski
2018-04-06 4:42 ` Peter Dolding
2018-04-03 17:16 ` David Howells
2018-04-03 19:01 ` Andy Lutomirski
2018-04-03 19:49 ` David Howells
2018-04-03 21:58 ` Andy Lutomirski
2018-04-03 22:32 ` David Howells
2018-04-03 22:39 ` Andy Lutomirski
2018-04-03 22:46 ` Linus Torvalds
2018-04-03 22:51 ` Matthew Garrett
2018-04-03 22:53 ` Andy Lutomirski
2018-04-03 23:09 ` Matthew Garrett
2018-04-03 23:08 ` Linus Torvalds
2018-04-03 23:10 ` Linus Torvalds
2018-04-03 23:17 ` Matthew Garrett
2018-04-03 23:26 ` Linus Torvalds
2018-04-03 23:39 ` Linus Torvalds
2018-04-03 23:47 ` Matthew Garrett
2018-04-04 0:02 ` Linus Torvalds
2018-04-04 0:04 ` Matthew Garrett
2018-04-04 0:08 ` Linus Torvalds
2018-04-04 0:12 ` Matthew Garrett
2018-04-05 14:58 ` Alan Cox
2018-04-04 0:22 ` David Howells
2018-04-05 17:59 ` Alan Cox
2018-04-05 18:03 ` Matthew Garrett
2018-04-03 23:45 ` Matthew Garrett
2018-04-03 23:55 ` Linus Torvalds
2018-04-03 23:59 ` Matthew Garrett
2018-04-04 0:06 ` Linus Torvalds
2018-04-04 0:10 ` Matthew Garrett
2018-04-04 0:15 ` Linus Torvalds
2018-04-04 0:16 ` Matthew Garrett
2018-04-04 0:18 ` Andy Lutomirski
2018-04-04 0:19 ` Matthew Garrett
2018-04-04 9:04 ` Greg Kroah-Hartman
2018-04-04 0:25 ` Linus Torvalds
2018-04-04 0:33 ` Linus Torvalds
2018-04-04 0:46 ` Matthew Garrett
2018-04-04 0:56 ` Linus Torvalds
2018-04-04 1:13 ` Matthew Garrett
2018-04-04 1:43 ` Linus Torvalds
2018-04-04 4:30 ` Matthew Garrett
2018-04-04 12:57 ` Theodore Y. Ts'o
2018-04-04 13:02 ` Greg Kroah-Hartman
2018-04-04 13:34 ` Theodore Y. Ts'o
2018-04-04 13:57 ` Greg Kroah-Hartman
2018-04-04 13:29 ` Mike Galbraith
2018-04-04 16:20 ` Matthew Garrett
2018-04-08 22:00 ` Pavel Machek
2018-04-04 13:33 ` David Howells
2018-04-04 13:52 ` Theodore Y. Ts'o
2018-04-04 16:22 ` Matthew Garrett
2018-04-04 16:39 ` Andy Lutomirski
2018-04-04 16:42 ` Matthew Garrett
2018-04-04 16:46 ` Justin Forbes
2018-04-05 0:05 ` Peter Dolding
2018-04-05 0:20 ` Matthew Garrett
2018-04-04 13:57 ` David Howells
2018-04-04 16:09 ` Linus Torvalds
2018-04-04 16:17 ` Matthew Garrett
2018-04-04 6:56 ` Peter Dolding
2018-04-04 16:26 ` Matthew Garrett
2018-04-05 1:28 ` Peter Dolding
2018-04-04 1:36 ` Justin Forbes
[not found] ` <CAFbkSA0ursG3RGWU19LQiD6u30h5V=Aqj3oVyHQCiX6MLopYUg@mail.gmail.com>
2018-04-04 1:58 ` Linus Torvalds
2018-04-04 0:17 ` Jann Horn
2018-04-04 0:23 ` Andy Lutomirski
2018-04-04 8:05 ` David Howells
2018-04-04 14:35 ` Andy Lutomirski
2018-04-04 14:44 ` David Howells
2018-04-04 15:43 ` Eric W. Biederman
2018-04-03 23:56 ` David Howells
2018-04-03 23:58 ` Linus Torvalds
2018-04-03 23:39 ` David Howells
2018-04-03 23:48 ` Andy Lutomirski
2018-04-08 8:23 ` Pavel Machek
2018-04-03 23:12 ` David Howells
2018-04-03 23:27 ` Linus Torvalds
2018-04-03 23:42 ` Andy Lutomirski
2018-04-03 20:53 ` Linus Torvalds
2018-04-03 20:54 ` Matthew Garrett
2018-04-03 21:01 ` Linus Torvalds
2018-04-03 21:08 ` Matthew Garrett
2018-04-03 21:21 ` Al Viro
2018-04-03 21:37 ` Matthew Garrett
2018-04-03 21:26 ` Linus Torvalds
2018-04-03 21:32 ` Matthew Garrett
2018-04-08 8:10 ` Pavel Machek
2018-04-04 2:34 Alexei Starovoitov
2018-04-04 4:31 ` Matthew Garrett
2018-04-08 7:44 ` joeyli
2018-04-08 8:07 ` joeyli
2018-04-09 3:40 ` Alexei Starovoitov
2018-04-09 8:14 ` Daniel Borkmann
2018-04-09 13:55 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrXeVod=kNpG-M7yKAMM0-n+PMg_OakN6ecWrTPmKXgMLg@mail.gmail.com' \
--to=luto@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jforbes@redhat.com \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mjg59@google.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).