Re: Disable lockdown while keeping SecureBoot enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Oct 02, 2022 at 11:15:28PM +0200, Ard Biesheuvel wrote:
> On Sun, 2 Oct 2022 at 19:06, Antoine Damhet <antoine@xxxxxxxxx> wrote:
> >
> > On Sun, Oct 02, 2022 at 05:28:16PM +0200, Ard Biesheuvel wrote:
> > > On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@xxxxxxxxx> wrote:

[...]

> > > > Until now I disabled the lockdown by setting the `MokSBState` +
> > > > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile.
> > > >
> > >
> > > OK, so this means the patch works as intended: MokSBState is owned by
> > > shim, and you are not booting via shim, and so honouring those
> > > variables was a bug.
> > >
> > > > Would you be open to either add a variable or a command-line argument to
> > > > disable the kernel lockdown while keeping SecureBoot enabled ?

[...]

Thank you for taking the time to answer,

> 
> The distro kernels enable lockdown by default if secure boot is
> enabled, and the way to override that is to use shim and put it into
> insecure mode. So you have plenty of options here:
> - build your kernel without the lockdown LSM

It would work but would be inconvenient for most users IMHO.

> - use the distro kernel with shim

1. If the shim is in secure mode -> I'm back to square 1 and effectively
   the lockdown is enforced
2. Unsecure mode -> anyone can boot anything
3. I need a custom shim to both enforce the signature and tell the
   kernel it hasn't. It would work but I think I will loose the
   signature/integrity on my cmdline and initrd

> - create a [signed] driver or uefi app that sets the volatile
> variable, and install it as a Driver### or SysPrep#### boot option
> 

I like this one, when I have some free time on my hands I will play
around it and keep the list informed.

> Adding command line options or any other setting that is not signed
> and is persistent kind of defeats the purpose, so I don't see a point
> in adding support for that.

On my case (I don't know how common it is), I bundle the
`kernel+initrd+cmdline` into a single EFI binary and sign the whole
thing. Making my command line a trusted source. I don't think the kernel
is aware of this and wonder if it could without some terrible hacks.

-- 
Antoine 'xdbob' Damhet

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux