From: Florian Weimer <fw@deneb.enyo.de>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
Matthew Garrett <matthew.garrett@nebula.com>,
"linux-kernel\@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"jmorris\@namei.org" <jmorris@namei.org>,
"keescook\@chromium.org" <keescook@chromium.org>,
"linux-security-module\@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"akpm\@linux-foundation.org" <akpm@linux-foundation.org>,
"hpa\@zytor.com" <hpa@zytor.com>,
"jwboyer\@fedoraproject.org" <jwboyer@fedoraproject.org>,
"linux-efi\@vger.kernel.org" <linux-efi@vger.kernel.org>,
"gregkh\@linuxfoundation.org" <gregkh@linuxfoundation.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Wed, 19 Mar 2014 18:49:49 +0100 [thread overview]
Message-ID: <87eh1y84ea.fsf@mid.deneb.enyo.de> (raw)
In-Reply-To: <20140314231832.GA653@thunk.org> (Theodore Ts'o's message of "Fri, 14 Mar 2014 19:18:32 -0400")
* Theodore Ts'o:
> Right now, even though Lenovo laptops are shipping with Windows
> 8. UEFI secure boot is not made mandatory (although it is on enough to
> brick the laptop when it runs into bugs wwith the UEFI BIOS code,
> sigh). But sooner or later, UEFI secure boot will be on by default,
> and then if Linux distros don't have kernels where the installer can
> be run without needing to twiddle BIOS settings, it might make it
> harder for the "Year of the Desktop" to come about.
Windows 8 logo devices already enable Secure Boot by default.
One aspect which makes all this really tricky is that Microsoft is
watching what we're doing and will keep raising the bar, probably not
with the intent to lock us out completely, but sufficiently high to
make things quite annoying. For example, any certificate-signing
certificate in the boot process needs to be an EV CA certificate,
which comes with fairly stringent requirements that are quite costly
to implement.
So any restrictions we implement as a good-will gesture will
eventually come back to haunt us.
next prev parent reply other threads:[~2014-03-19 17:50 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2014-02-27 19:02 ` Kees Cook
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when " Matthew Garrett
2014-03-31 14:49 ` Pavel Machek
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
2014-02-26 22:21 ` One Thousand Gnomes
2014-03-19 17:42 ` Florian Weimer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07 ` Greg KH
2014-02-27 19:11 ` Josh Boyer
2014-02-28 12:50 ` Josh Boyer
2014-02-28 3:03 ` James Morris
2014-02-28 4:52 ` Matthew Garrett
2014-03-13 5:01 ` Matthew Garrett
2014-03-13 6:22 ` Kees Cook
2014-03-13 9:33 ` James Morris
2014-03-13 10:12 ` One Thousand Gnomes
2014-03-13 15:54 ` H. Peter Anvin
2014-03-13 15:59 ` Matthew Garrett
2014-03-13 21:24 ` One Thousand Gnomes
2014-03-13 21:28 ` H. Peter Anvin
2014-03-13 21:32 ` Matthew Garrett
2014-03-13 21:30 ` Matthew Garrett
2014-03-13 23:21 ` One Thousand Gnomes
2014-03-14 1:57 ` Matthew Garrett
2014-03-14 12:22 ` One Thousand Gnomes
2014-03-14 12:51 ` Matthew Garrett
2014-03-14 15:23 ` Kees Cook
2014-03-14 15:46 ` Matthew Garrett
2014-03-14 15:54 ` Kees Cook
2014-03-14 15:58 ` Matthew Garrett
2014-03-14 16:28 ` One Thousand Gnomes
2014-03-14 17:06 ` One Thousand Gnomes
2014-03-14 18:11 ` Matthew Garrett
2014-03-14 19:24 ` Matthew Garrett
2014-03-14 20:37 ` David Lang
2014-03-14 20:43 ` Matthew Garrett
2014-03-14 21:58 ` One Thousand Gnomes
2014-03-14 22:04 ` Matthew Garrett
2014-03-14 21:48 ` One Thousand Gnomes
2014-03-14 21:56 ` Matthew Garrett
2014-03-14 22:08 ` One Thousand Gnomes
2014-03-14 22:15 ` Matthew Garrett
2014-03-14 22:31 ` One Thousand Gnomes
2014-03-14 22:52 ` Matthew Garrett
2014-03-19 19:50 ` Kees Cook
2014-03-14 23:18 ` Theodore Ts'o
2014-03-15 0:15 ` One Thousand Gnomes
2014-03-19 17:49 ` Florian Weimer [this message]
2014-03-19 20:16 ` Kees Cook
2014-03-20 14:47 ` One Thousand Gnomes
2014-03-20 14:55 ` tytso
2014-03-20 17:12 ` Matthew Garrett
2014-03-20 18:13 ` One Thousand Gnomes
2014-03-13 21:26 ` One Thousand Gnomes
2014-03-13 21:31 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87eh1y84ea.fsf@mid.deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=akpm@linux-foundation.org \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=hpa@zytor.com \
--cc=jmorris@namei.org \
--cc=jwboyer@fedoraproject.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox