From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755578AbaCNWxO (ORCPT ); Fri, 14 Mar 2014 18:53:14 -0400 Received: from mail-bl2lp0204.outbound.protection.outlook.com ([207.46.163.204]:8541 "EHLO na01-bl2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753732AbaCNWxM (ORCPT ); Fri, 14 Mar 2014 18:53:12 -0400 From: Matthew Garrett To: "gnomes@lxorguk.ukuu.org.uk" CC: "linux-kernel@vger.kernel.org" , "jmorris@namei.org" , "keescook@chromium.org" , "linux-security-module@vger.kernel.org" , "akpm@linux-foundation.org" , "hpa@zytor.com" , "jwboyer@fedoraproject.org" , "linux-efi@vger.kernel.org" , "gregkh@linuxfoundation.org" Subject: Re: Trusted kernel patchset for Secure Boot lockdown Thread-Topic: Trusted kernel patchset for Secure Boot lockdown Thread-Index: AQHPP9UxgdFEpLbAD0ahQ2OJgthmsZrhMJwA Date: Fri, 14 Mar 2014 22:52:56 +0000 Message-ID: <1394837576.1286.27.camel@x230> References: <1393445473-15068-1-git-send-email-matthew.garrett@nebula.com> <1394686919.25122.2.camel@x230> <1394726363.25122.16.camel@x230> <20140313212450.67f1de8e@alan.etchedpixels.co.uk> <1394746248.27846.3.camel@x230> <20140313232140.03bdaac3@alan.etchedpixels.co.uk> <1394762250.6416.24.camel@x230.lan> <20140314122231.17b9ca8a@alan.etchedpixels.co.uk> <1394801518.6416.38.camel@x230.lan> <20140314170655.0ce398a3@alan.etchedpixels.co.uk> <1394820664.26846.18.camel@x230.mview.int.nebula.com> <20140314214806.54a3d031@alan.etchedpixels.co.uk> <1394834193.1286.11.camel@x230> <20140314220840.29a12171@alan.etchedpixels.co.uk> <1394835345.1286.22.camel@x230> <20140314223150.0b49723e@alan.etchedpixels.co.uk> In-Reply-To: <20140314223150.0b49723e@alan.etchedpixels.co.uk> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:470:1f07:1371:6267:20ff:fec3:2318] x-forefront-prvs: 0150F3F97D x-forefront-antispam-report: SFV:NSPM;SFS:(10009001)(6009001)(428001)(24454002)(189002)(199002)(51704005)(377424004)(33716001)(97186001)(47446002)(74662001)(63696002)(59766001)(92726001)(33646001)(79102001)(74366001)(20776003)(74502001)(95666003)(94316002)(80022001)(81542001)(81342001)(92566001)(31966008)(85306002)(69226001)(85852003)(83072002)(95416001)(90146001)(56816005)(94946001)(74876001)(74706001)(76796001)(81816001)(83322001)(19580405001)(49866001)(54316002)(50986001)(65816001)(19580395003)(77096001)(46102001)(53806001)(54356001)(76482001)(86362001)(56776001)(93516002)(87936001)(80976001)(76786001)(51856001)(47736001)(81686001)(47976001)(87266001)(2656002)(3826001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR05MB123;H:BN1PR05MB423.namprd05.prod.outlook.com;FPR:FC84F0E6.AD964421.A1F495A8.84E4F165.20234;MLV:sfv;PTR:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: <1DF9F6D16805D64C93E6BA337D63745B@namprd05.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: nebula.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id s2EMrK6T020122 On Fri, 2014-03-14 at 22:31 +0000, One Thousand Gnomes wrote: > On Fri, 14 Mar 2014 22:15:45 +0000 > Matthew Garrett wrote: > > The general problem includes having to support this even without an > > selinux policy. > > Yes. No dispute about that. But equally the general solution should allow > for it. Well, sure. The current implementation doesn't conflict with selinux in any way. > > some other way. ChromeOS will load unmeasured kernel modules provided it > > can attest to the trustworthyness of the filesystem containing them. > > See "How to Bypass Verified Boot Security in Chromium OS" 8) > > And it attests the trustworthiness of the filesystem by measuring it. If > you have a measurement of object X that states it is unchanged then you > have a valid measurement of any subset of object X for which the same > assertion is proven. In this case since you know all the bits in the root > fs are as before, so you know all the bits in the module are as before You may attest to the trustworthiness of a filesystem by measuring it, but you may also attest to it via some other means - for instance, it's read-only and stored on media that requires physical presence to modify. -- Matthew Garrett {.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Garrett Subject: Re: Trusted kernel patchset for Secure Boot lockdown Date: Fri, 14 Mar 2014 22:52:56 +0000 Message-ID: <1394837576.1286.27.camel@x230> References: <1393445473-15068-1-git-send-email-matthew.garrett@nebula.com> <1394686919.25122.2.camel@x230> <1394726363.25122.16.camel@x230> <20140313212450.67f1de8e@alan.etchedpixels.co.uk> <1394746248.27846.3.camel@x230> <20140313232140.03bdaac3@alan.etchedpixels.co.uk> <1394762250.6416.24.camel@x230.lan> <20140314122231.17b9ca8a@alan.etchedpixels.co.uk> <1394801518.6416.38.camel@x230.lan> <20140314170655.0ce398a3@alan.etchedpixels.co.uk> <1394820664.26846.18.camel@x230.mview.int.nebula.com> <20140314214806.54a3d031@alan.etchedpixels.co.uk> <1394834193.1286.11.camel@x230> <20140314220840.29a12171@alan.etchedpixels.co.uk> <1394835345.1286.22.camel@x230> <20140314223150.0b49723e@alan.etchedpixels.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: <20140314223150.0b49723e@alan.etchedpixels.co.uk> Content-Language: en-US Content-ID: <1DF9F6D16805D64C93E6BA337D63745B@namprd05.prod.outlook.com> Sender: linux-security-module-owner@vger.kernel.org To: "gnomes@lxorguk.ukuu.org.uk" Cc: "linux-kernel@vger.kernel.org" , "jmorris@namei.org" , "keescook@chromium.org" , "linux-security-module@vger.kernel.org" , "akpm@linux-foundation.org" , "hpa@zytor.com" , "jwboyer@fedoraproject.org" , "linux-efi@vger.kernel.org" , "gregkh@linuxfoundation.org" List-Id: linux-efi@vger.kernel.org T24gRnJpLCAyMDE0LTAzLTE0IGF0IDIyOjMxICswMDAwLCBPbmUgVGhvdXNhbmQgR25vbWVzIHdy b3RlOg0KPiBPbiBGcmksIDE0IE1hciAyMDE0IDIyOjE1OjQ1ICswMDAwDQo+IE1hdHRoZXcgR2Fy cmV0dCA8bWF0dGhldy5nYXJyZXR0QG5lYnVsYS5jb20+IHdyb3RlOg0KPiA+IFRoZSBnZW5lcmFs IHByb2JsZW0gaW5jbHVkZXMgaGF2aW5nIHRvIHN1cHBvcnQgdGhpcyBldmVuIHdpdGhvdXQgYW4N Cj4gPiBzZWxpbnV4IHBvbGljeS4NCj4gDQo+IFllcy4gTm8gZGlzcHV0ZSBhYm91dCB0aGF0LiBC dXQgZXF1YWxseSB0aGUgZ2VuZXJhbCBzb2x1dGlvbiBzaG91bGQgYWxsb3cNCj4gZm9yIGl0Lg0K DQpXZWxsLCBzdXJlLiBUaGUgY3VycmVudCBpbXBsZW1lbnRhdGlvbiBkb2Vzbid0IGNvbmZsaWN0 IHdpdGggc2VsaW51eCBpbg0KYW55IHdheS4NCg0KPiA+IHNvbWUgb3RoZXIgd2F5LiBDaHJvbWVP UyB3aWxsIGxvYWQgdW5tZWFzdXJlZCBrZXJuZWwgbW9kdWxlcyBwcm92aWRlZCBpdA0KPiA+IGNh biBhdHRlc3QgdG8gdGhlIHRydXN0d29ydGh5bmVzcyBvZiB0aGUgZmlsZXN5c3RlbSBjb250YWlu aW5nIHRoZW0uDQo+IA0KPiBTZWUgIkhvdyB0byBCeXBhc3MgVmVyaWZpZWQgQm9vdCBTZWN1cml0 eSBpbiBDaHJvbWl1bSBPUyIgOCkNCj4gDQo+IEFuZCBpdCBhdHRlc3RzIHRoZSB0cnVzdHdvcnRo aW5lc3Mgb2YgdGhlIGZpbGVzeXN0ZW0gYnkgbWVhc3VyaW5nIGl0LiBJZg0KPiB5b3UgaGF2ZSBh IG1lYXN1cmVtZW50IG9mIG9iamVjdCBYIHRoYXQgc3RhdGVzIGl0IGlzIHVuY2hhbmdlZCB0aGVu IHlvdQ0KPiBoYXZlIGEgdmFsaWQgbWVhc3VyZW1lbnQgb2YgYW55IHN1YnNldCBvZiBvYmplY3Qg WCBmb3Igd2hpY2ggdGhlIHNhbWUNCj4gYXNzZXJ0aW9uIGlzIHByb3Zlbi4gSW4gdGhpcyBjYXNl IHNpbmNlIHlvdSBrbm93IGFsbCB0aGUgYml0cyBpbiB0aGUgcm9vdA0KPiBmcyBhcmUgYXMgYmVm b3JlLCBzbyB5b3Uga25vdyBhbGwgdGhlIGJpdHMgaW4gdGhlIG1vZHVsZSBhcmUgYXMgYmVmb3Jl DQoNCllvdSBtYXkgYXR0ZXN0IHRvIHRoZSB0cnVzdHdvcnRoaW5lc3Mgb2YgYSBmaWxlc3lzdGVt IGJ5IG1lYXN1cmluZyBpdCwNCmJ1dCB5b3UgbWF5IGFsc28gYXR0ZXN0IHRvIGl0IHZpYSBzb21l IG90aGVyIG1lYW5zIC0gZm9yIGluc3RhbmNlLCBpdCdzDQpyZWFkLW9ubHkgYW5kIHN0b3JlZCBv biBtZWRpYSB0aGF0IHJlcXVpcmVzIHBoeXNpY2FsIHByZXNlbmNlIHRvDQptb2RpZnkuIA0KDQot LSANCk1hdHRoZXcgR2FycmV0dCA8bWF0dGhldy5nYXJyZXR0QG5lYnVsYS5jb20+DQo=