From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [GIT PULL] Kernel lockdown for secure boot Date: Tue, 3 Apr 2018 22:21:02 +0100 Message-ID: <20180403212102.GL30522@ZenIV.linux.org.uk> References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Matthew Garrett Cc: Linus Torvalds , luto@kernel.org, David Howells , Ard Biesheuvel , jmorris@namei.org, Alan Cox , Greg Kroah-Hartman , Linux Kernel Mailing List , jforbes@redhat.com, linux-man@vger.kernel.org, jlee@suse.com, LSM List , linux-api@vger.kernel.org, Kees Cook , linux-efi List-Id: linux-man@vger.kernel.org On Tue, Apr 03, 2018 at 09:08:54PM +0000, Matthew Garrett wrote: > > The fact is, some hardware pushes secure boot pretty hard. That has > > *nothing* to do with some "lockdown" mode. > > Secure Boot ensures that the firmware will only load signed bootloaders. If > a signed bootloader loads a kernel that's effectively an unsigned > bootloader, there's no point in using Secure Boot - you should just turn it > off instead, because it's not giving you any meaningful security. Andy's > example gives a scenario where by constraining your *userland* sufficiently > you can get close to having the same guarantees, but that involves you > having a read-only filesystem and takes you even further away from having a > general purpose computer. > > If you don't want Secure Boot, turn it off. If you want Secure Boot, use a > kernel that behaves in a way that actually increases your security. That assumes you *can* turn that shit off. On the hardware where manufacturer has installed firmware that doesn't allow that SB is a misfeature that has to be worked around. Making that harder might improve the value of SB to said manufacturers, but what's the benefit for everybody else?