Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image

[PATCH 00/24] security: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Miguel Ojeda <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Greg KH <gregkh@linuxfoundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jordan Glover <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Andy Lutomirski <luto@amacapital.net> · 2018-04-12
[PATCH 02/24] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Pavel Machek <hidden> · 2018-04-13
[PATCH 03/24] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 05/24] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-22
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2018-05-23
[PATCH 08/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 10/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 12/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 15/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 17/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · Randy Dunlap <hidden> · 2018-04-11
[PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 20/24] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 21/24] Lock down kprobes · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 23/24] Lock down perf · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-05-10

From: Justin Forbes <hidden>
Date: 2018-04-12 13:09:14
Also in: linux-man, linux-security-module, lkml

On Wed, Apr 11, 2018, 5:38 PM Linus Torvalds
[off-list ref] wrote:

On Wed, Apr 11, 2018 at 2:05 PM, Jordan Glover
[off-list ref] wrote:

quoted

If that /dev/mem access prevention was just instead done as an even
stricter mode of the existing CONFIG_STRICT_DEVMEM, it could just be
enabled unconditionally.

CONFIG_DEVMEM=n

It's actually CONFIG_DEVMEM, CONFIG_DEVKMEM and CONFIG_DEVPORT, it's
just not obvious from the patch.

But the important part is this part:

quoted

So I would seriously ask that the distros that have been using these
patches look at which parts of lockdown they could make unconditional
(because it doesn't break machines), and which ones need that escape
clause.

.. because I get the feeling that not a lot of people have actually
been testing this, because "turn off secure boot" is such a universal
thing when people boot Linux.

So it's really the whole claim that distributions have been running
for this for the last five years that I wonder about, and how often
people end up being told: "just disable secure boot":.

Very rarely in my experience. And the one time that we sent a kernel
to updates-testing that was signed with the test key instead of the
real key, we had a surprisingly high number of reports from users that
it was broken before the update even got synched to mirrors.  So we
don't have actual numbers of users running active secure boot with
Fedora, but we do know it is more than we expected.  The majority of
people who do run into issues are those running out of tree modules,
who haven't imported any sort of key for local signing.  This isn't
like SELinux was at launch where it was so invasive that a large
number of users instinctively turned it off with every installation, I
would guess even people who turned it off in the past, don't even
think about it when they get a new machine and leave it on.

But if people really don't need DEVMEM/DEVKMEM/DEVPORT, maybe we
should just disable them in the default configs, and consider them
legacy.

I'm just surprised. I suspect a lot of people end up actually using
devmem as a fallback for dmidecode etc. Maybe those people don't boot
with EFI secure mode, but if so that just shows that this whole
"hardening" is just security theater.

              Linus

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help