Re: [GIT PULL] Kernel lockdown for secure boot

(off-list ancestor, not in this archive)
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Kees Cook <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@amacapital.net> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Alexei Starovoitov <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Alan Cox <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Alan Cox <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · "Theodore Y. Ts'o" <tytso@mit.edu> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · "Theodore Y. Ts'o" <tytso@mit.edu> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Mike Galbraith <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · "Theodore Y. Ts'o" <tytso@mit.edu> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Justin Forbes <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Peter Dolding <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Pavel Machek <hidden> · 2018-04-08
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Peter Dolding <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Peter Dolding <hidden> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Justin Forbes <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Jann Horn <jannh@google.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@amacapital.net> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Pavel Machek <hidden> · 2018-04-08
Re: [GIT PULL] Kernel lockdown for secure boot · David Howells <dhowells@redhat.com> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Peter Jones <pjones@redhat.com> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Thomas Gleixner <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-04
Re: [GIT PULL] Kernel lockdown for secure boot · Andy Lutomirski <luto@kernel.org> · 2018-04-05
Re: [GIT PULL] Kernel lockdown for secure boot · Peter Dolding <hidden> · 2018-04-06
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Al Viro <viro@ZenIV.linux.org.uk> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Matthew Garrett <hidden> · 2018-04-03
Re: [GIT PULL] Kernel lockdown for secure boot · Pavel Machek <hidden> · 2018-04-08

From: David Howells <dhowells@redhat.com>
Date: 2018-04-04 00:22:31
Also in: linux-efi, linux-man, linux-security-module, lkml

Possibly related (same subject, not in this thread)

2018-04-09 · Re: [GIT PULL] Kernel lockdown for secure boot · joeyli <jlee@suse.com>
2018-04-09 · Re: [GIT PULL] Kernel lockdown for secure boot · Daniel Borkmann <daniel@iogearbox.net>
2018-04-09 · Re: [GIT PULL] Kernel lockdown for secure boot · Alexei Starovoitov <hidden>
2018-04-08 · Re: [GIT PULL] Kernel lockdown for secure boot · joeyli <jlee@suse.com>
2018-04-08 · Re: [GIT PULL] Kernel lockdown for secure boot · joeyli <jlee@suse.com>

Linus Torvalds [off-list ref] wrote:

...  use the kernel command line to disable things.

An attacker could then modify grub.cfg, say, and cause a reboot (or wait for
the next reboot) to disable lockdown:-/

And whilst we could also distribute a non-locked-down variant of the kernel as
an alternative, the attacker could install and boot that instead since we
can't lock package installation down very easily since it doesn't impinge
directly on the running kernel.

Unfortunately, it's hard to come up with a disablement mechanism in the kernel
that an attacker can't also make use of:-/

David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help