Re: [GIT PULL] Kernel lockdown for secure boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: David Howells <dhowells@xxxxxxxxxx>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
From: "Theodore Y. Ts'o" <tytso@xxxxxxx>
Date: Wed, 4 Apr 2018 09:52:51 -0400
Cc: Matthew Garrett <mjg59@xxxxxxxxxx>, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, luto@xxxxxxxxxx, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, jmorris@xxxxxxxxx, Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, jforbes@xxxxxxxxxx, linux-man@xxxxxxxxxxxxxxx, jlee@xxxxxxxx, LSM List <linux-security-module@xxxxxxxxxxxxxxx>, linux-api@xxxxxxxxxxxxxxx, Kees Cook <keescook@xxxxxxxxxxxx>, linux-efi <linux-efi@xxxxxxxxxxxxxxx>
In-reply-to: <24353.1522848817@warthog.procyon.org.uk>
Mail-followup-to: "Theodore Y. Ts'o" <tytso@xxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, Matthew Garrett <mjg59@xxxxxxxxxx>, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, luto@xxxxxxxxxx, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>, jmorris@xxxxxxxxx, Alan Cox <gnomes@xxxxxxxxxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx>, jforbes@xxxxxxxxxx, linux-man@xxxxxxxxxxxxxxx, jlee@xxxxxxxx, LSM List <linux-security-module@xxxxxxxxxxxxxxx>, linux-api@xxxxxxxxxxxxxxx, Kees Cook <keescook@xxxxxxxxxxxx>, linux-efi <linux-efi@xxxxxxxxxxxxxxx>
References: <CA+55aFzYbpRAdma0PvqE+9ygySuKzNKByqOzzMufBoovXVnfPw@mail.gmail.com> <CACdnJuv-VpdhjEe1cMysdHb6Oy67jQqg-_TVHbUrOfH9GmCVvg@mail.gmail.com> <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com> <CA+55aFzJ2sQR13T+20MKEJ5co-f3Ev8rRxQkRCWVaeDSUU3yhQ@mail.gmail.com> <CACdnJuti5Riqoi1sesqPALYHq9LT87o4MFj-0Y5BZqqzJ5579g@mail.gmail.com> <CA+55aFwhi=gz3HLoGST9--n1_kLJNP6jsf8GSesSFxTDCdPdtQ@mail.gmail.com> <CACdnJuuek-sS3esmomNOkjBMV_6VPL2NFCzRd+UGxbZrMe=4nw@mail.gmail.com> <CA+55aFxgrh5eeG9MRSEsJtyL5yTe0TehZ=BS2josGJaLxoMMBQ@mail.gmail.com> <CACdnJutuBaE3RaDx0KM5vDF9Sinrp=3tG9csrS-H3eU-J7-Utw@mail.gmail.com> <24353.1522848817@warthog.procyon.org.uk>
User-agent: Mutt/1.9.4 (2018-02-28)

On Wed, Apr 04, 2018 at 02:33:37PM +0100, David Howells wrote:
> Theodore Y. Ts'o <tytso@xxxxxxx> wrote:
> 
> > Whoa.  Why doesn't lockdown prevent kexec?  Put another away, why
> > isn't this a problem for people who are fearful that Linux could be
> > used as part of a Windows boot virus in a Secure UEFI context?
> 
> Lockdown mode restricts kexec to booting an authorised image (where the
> authorisation may be by signature or by IMA).

If that's true, then Matthew's assertion that lockdown w/o secure boot
is insecure goes away, no?

							- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Follow-Ups:
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Matthew Garrett

References:
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Linus Torvalds
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Matthew Garrett
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Linus Torvalds
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Linus Torvalds
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Matthew Garrett
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Linus Torvalds
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Matthew Garrett
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Linus Torvalds
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: Matthew Garrett
- Re: [GIT PULL] Kernel lockdown for secure boot
  - From: David Howells

Prev by Date: Re: [GIT PULL] Kernel lockdown for secure boot
Next by Date: Re: [GIT PULL] Kernel lockdown for secure boot
Previous by thread: Re: [GIT PULL] Kernel lockdown for secure boot
Next by thread: Re: [GIT PULL] Kernel lockdown for secure boot
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Documentation] [Netdev] [Linux Ethernet Bridging] [Linux Wireless] [Kernel Newbies] [Security] [Linux for Hams] [Netfilter] [Bugtraq] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux RAID] [Linux Admin] [Samba]