From: Mimi Zohar <zohar@linux.ibm.com>
To: Lennart Poettering <mzxreary@0pointer.de>
Cc: Jarkko Sakkinen <jarkko@kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee,
Chun-Yi" <joeyli.kernel@gmail.com>
Subject: Re: [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled"
Date: Tue, 08 Jul 2025 16:52:02 -0400 [thread overview]
Message-ID: <b1b5feaa93922c9b5a8f1a1e41385d266fe640ce.camel@linux.ibm.com> (raw)
In-Reply-To: <aGeECyNqSQoIP7d2@gardel-login>
On Fri, 2025-07-04 at 09:34 +0200, Lennart Poettering wrote:
> > That would be preferable to changing the existing expectations to loading the
> > MOK keys when secure boot is not enabled.
>
> Sorry, but I vehemently disagree, that's a really broken security
> model. SecureBoot on should mean strict rules and, SB off should mean
> relaxed rules, and you are doing it in the opposite way.
We're going around and around in circles, each of us saying the same thing over
and over. Let's try breaking this down.
For now let's assume there are just two security models, the hybrid security
model of trusted boot transitioning to secure boot and the secure boot only
model.
In the hybrid security model of trusted boot transitioning to secure boot,
you're claiming it is always safe to load vendor keys and/or "local keys",
whether secure boot is enabled or disabled. This makes sense, because the keys
will be measured and the disk encryption key won't be unsealed (TPM 1.2
terminology) if there are unknown keys.
I'm claiming in the secure boot ONLY model, the default is to use the set of
known builtin trusted keys and to make an exception to allow "vendor keys"
and/or "local keys" IFF secure boot is enabled. This is a reasonable exception,
relaxing of rules.
With your understanding of "SecureBoot on should mean strict rules and, SB off
should mean relaxed rules ... " there would be no difference if Secure Boot is
enabled or disabled. For your hybrid security model case this works
perfectly. In the secure boot only case, however, it breaks the existing
security model expectations.
The question is how can both of these security models co-exist?
Mimi
next prev parent reply other threads:[~2025-07-08 20:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 12:02 [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled" Lennart Poettering
2025-03-20 14:52 ` Jarkko Sakkinen
2025-03-21 7:13 ` lee joey
2025-03-21 8:39 ` Lennart Poettering
2025-03-22 21:24 ` Jarkko Sakkinen
2025-03-21 13:19 ` James Bottomley
2025-07-03 1:40 ` Mimi Zohar
2025-07-03 7:18 ` Lennart Poettering
2025-07-03 11:23 ` Mimi Zohar
2025-07-03 13:04 ` Lennart Poettering
2025-07-03 23:56 ` Mimi Zohar
2025-07-04 7:34 ` Lennart Poettering
2025-07-08 20:52 ` Mimi Zohar [this message]
2025-07-04 1:30 ` GONG Ruiqi
2025-07-04 7:47 ` Lennart Poettering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1b5feaa93922c9b5a8f1a1e41385d266fe640ce.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mzxreary@0pointer.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).