From mboxrd@z Thu Jan 1 00:00:00 1970 From: mjg59@google.com (Matthew Garrett) Date: Tue, 03 Apr 2018 23:59:40 +0000 Subject: [GIT PULL] Kernel lockdown for secure boot In-Reply-To: References: <4136.1522452584@warthog.procyon.org.uk> <186aeb7e-1225-4bb8-3ff5-863a1cde86de@kernel.org> <30459.1522739219@warthog.procyon.org.uk> <9758.1522775763@warthog.procyon.org.uk> <13189.1522784944@warthog.procyon.org.uk> <9349.1522794769@warthog.procyon.org.uk> Message-ID: To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On Tue, Apr 3, 2018 at 4:55 PM Linus Torvalds wrote: > On Tue, Apr 3, 2018 at 4:45 PM, Matthew Garrett wrote: > >> Be honest now. It wasn't generally users who clamored for it. > > > > If you ask a user whether they want a system that lets an attacker replace > > their kernel or one that doesn't, what do you think their answer is likely > > to be? > Goddamnit. > We both know what the answer will be. > And it will have *nothing* to do with secure boot. Right, because they care about outcome rather than mechanism. Secure Boot is the mechanism we have to make that outcome possible. > > Again, what is your proposed mechanism for ensuring that off the shelf > > systems can be configured in a way that makes this possible? > If you think lockdown is a good idea, and you enabled it, then IT IS ENABLED. Ok. So we can build distribution kernels that *always* have this on, and to turn it off you have to disable Secure Boot and install a different kernel. Or we can build distribution kernels that only have this on when you're booting in a context that makes sense, and you can disable it by just disabling Secure Boot (by running mokutil --disable-validation) and not have to install a new kernel. Which outcome do you prefer? -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html