linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Disable lockdown while keeping SecureBoot enabled
@ 2022-10-02 15:00 Antoine Damhet
  2022-10-02 15:28 ` Ard Biesheuvel
  0 siblings, 1 reply; 5+ messages in thread
From: Antoine Damhet @ 2022-10-02 15:00 UTC (permalink / raw)
  To: linux-efi

[-- Attachment #1: Type: text/plain, Size: 802 bytes --]

Hello,

Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both
SecureBoot enabled and lockdown disabled (I need to do that to allow
undervolting on my intel laptop).

My current bootchain is:

systemd-boot -> kernel+initrd+cmdline as a unified kernel image and
signed using a personal custom key. I don't use the shim loader.

Until now I disabled the lockdown by setting the `MokSBState` +
`MokSBStateRT` UEFI variables to 1. Now they need to be volatile.

Would you be open to either add a variable or a command-line argument to
disable the kernel lockdown while keeping SecureBoot enabled ? If so
what would be the right way to express it ?

Thanks,

[1]: https://lore.kernel.org/linux-efi/20220920153743.3598053-1-ardb@kernel.org/

-- 
Antoine 'xdbob' Damhet

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Disable lockdown while keeping SecureBoot enabled
  2022-10-02 15:00 Disable lockdown while keeping SecureBoot enabled Antoine Damhet
@ 2022-10-02 15:28 ` Ard Biesheuvel
  2022-10-02 17:06   ` Antoine Damhet
  0 siblings, 1 reply; 5+ messages in thread
From: Ard Biesheuvel @ 2022-10-02 15:28 UTC (permalink / raw)
  To: Antoine Damhet, Peter Jones, Matthew Garrett, Kees Cook; +Cc: linux-efi

On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@damhet.fr> wrote:
>
> Hello,
>
> Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both
> SecureBoot enabled and lockdown disabled (I need to do that to allow
> undervolting on my intel laptop).
>
> My current bootchain is:
>
> systemd-boot -> kernel+initrd+cmdline as a unified kernel image and
> signed using a personal custom key. I don't use the shim loader.
>
> Until now I disabled the lockdown by setting the `MokSBState` +
> `MokSBStateRT` UEFI variables to 1. Now they need to be volatile.
>

OK, so this means the patch works as intended: MokSBState is owned by
shim, and you are not booting via shim, and so honouring those
variables was a bug.

> Would you be open to either add a variable or a command-line argument to
> disable the kernel lockdown while keeping SecureBoot enabled ?

Can't you just omit the lockdown LSM from your kernel build?

> If so
> what would be the right way to express it ?
>
> Thanks,
>
> [1]: https://lore.kernel.org/linux-efi/20220920153743.3598053-1-ardb@kernel.org/
>
> --
> Antoine 'xdbob' Damhet

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Disable lockdown while keeping SecureBoot enabled
  2022-10-02 15:28 ` Ard Biesheuvel
@ 2022-10-02 17:06   ` Antoine Damhet
  2022-10-02 21:15     ` Ard Biesheuvel
  0 siblings, 1 reply; 5+ messages in thread
From: Antoine Damhet @ 2022-10-02 17:06 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: Peter Jones, Matthew Garrett, Kees Cook, linux-efi

[-- Attachment #1: Type: text/plain, Size: 1526 bytes --]

On Sun, Oct 02, 2022 at 05:28:16PM +0200, Ard Biesheuvel wrote:
> On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@damhet.fr> wrote:
> >
> > Hello,
> >
> > Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both
> > SecureBoot enabled and lockdown disabled (I need to do that to allow
> > undervolting on my intel laptop).
> >
> > My current bootchain is:
> >
> > systemd-boot -> kernel+initrd+cmdline as a unified kernel image and
> > signed using a personal custom key. I don't use the shim loader.
> >
> > Until now I disabled the lockdown by setting the `MokSBState` +
> > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile.
> >
> 
> OK, so this means the patch works as intended: MokSBState is owned by
> shim, and you are not booting via shim, and so honouring those
> variables was a bug.
> 
> > Would you be open to either add a variable or a command-line argument to
> > disable the kernel lockdown while keeping SecureBoot enabled ?
> 
> Can't you just omit the lockdown LSM from your kernel build?

It would probably work but I'm using a downstream Fedora build, I
would rather find a solution that would work in a default configure
state (eg: that distributions would be willing to use) if it's possible.

> 
> > If so
> > what would be the right way to express it ?
> >
> > Thanks,
> >
> > [1]: https://lore.kernel.org/linux-efi/20220920153743.3598053-1-ardb@kernel.org/
> >
> > --
> > Antoine 'xdbob' Damhet

-- 
Antoine 'xdbob' Damhet

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 484 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Disable lockdown while keeping SecureBoot enabled
  2022-10-02 17:06   ` Antoine Damhet
@ 2022-10-02 21:15     ` Ard Biesheuvel
  2022-10-03  7:14       ` Antoine Damhet
  0 siblings, 1 reply; 5+ messages in thread
From: Ard Biesheuvel @ 2022-10-02 21:15 UTC (permalink / raw)
  To: Antoine Damhet; +Cc: Peter Jones, Matthew Garrett, Kees Cook, linux-efi

On Sun, 2 Oct 2022 at 19:06, Antoine Damhet <antoine@damhet.fr> wrote:
>
> On Sun, Oct 02, 2022 at 05:28:16PM +0200, Ard Biesheuvel wrote:
> > On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@damhet.fr> wrote:
> > >
> > > Hello,
> > >
> > > Since `5f56a74cc0a6d9b9f8ba89cea29cd7c4774cb2b1`[1] I can't have both
> > > SecureBoot enabled and lockdown disabled (I need to do that to allow
> > > undervolting on my intel laptop).
> > >
> > > My current bootchain is:
> > >
> > > systemd-boot -> kernel+initrd+cmdline as a unified kernel image and
> > > signed using a personal custom key. I don't use the shim loader.
> > >
> > > Until now I disabled the lockdown by setting the `MokSBState` +
> > > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile.
> > >
> >
> > OK, so this means the patch works as intended: MokSBState is owned by
> > shim, and you are not booting via shim, and so honouring those
> > variables was a bug.
> >
> > > Would you be open to either add a variable or a command-line argument to
> > > disable the kernel lockdown while keeping SecureBoot enabled ?
> >
> > Can't you just omit the lockdown LSM from your kernel build?
>
> It would probably work but I'm using a downstream Fedora build, I
> would rather find a solution that would work in a default configure
> state (eg: that distributions would be willing to use) if it's possible.
>

The distro kernels enable lockdown by default if secure boot is
enabled, and the way to override that is to use shim and put it into
insecure mode. So you have plenty of options here:
- build your kernel without the lockdown LSM
- use the distro kernel with shim
- create a [signed] driver or uefi app that sets the volatile
variable, and install it as a Driver### or SysPrep#### boot option

Adding command line options or any other setting that is not signed
and is persistent kind of defeats the purpose, so I don't see a point
in adding support for that.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Disable lockdown while keeping SecureBoot enabled
  2022-10-02 21:15     ` Ard Biesheuvel
@ 2022-10-03  7:14       ` Antoine Damhet
  0 siblings, 0 replies; 5+ messages in thread
From: Antoine Damhet @ 2022-10-03  7:14 UTC (permalink / raw)
  To: Ard Biesheuvel; +Cc: Peter Jones, Matthew Garrett, Kees Cook, linux-efi

[-- Attachment #1: Type: text/plain, Size: 2270 bytes --]

On Sun, Oct 02, 2022 at 11:15:28PM +0200, Ard Biesheuvel wrote:
> On Sun, 2 Oct 2022 at 19:06, Antoine Damhet <antoine@damhet.fr> wrote:
> >
> > On Sun, Oct 02, 2022 at 05:28:16PM +0200, Ard Biesheuvel wrote:
> > > On Sun, 2 Oct 2022 at 17:00, Antoine Damhet <antoine@damhet.fr> wrote:

[...]

> > > > Until now I disabled the lockdown by setting the `MokSBState` +
> > > > `MokSBStateRT` UEFI variables to 1. Now they need to be volatile.
> > > >
> > >
> > > OK, so this means the patch works as intended: MokSBState is owned by
> > > shim, and you are not booting via shim, and so honouring those
> > > variables was a bug.
> > >
> > > > Would you be open to either add a variable or a command-line argument to
> > > > disable the kernel lockdown while keeping SecureBoot enabled ?

[...]

Thank you for taking the time to answer,

> 
> The distro kernels enable lockdown by default if secure boot is
> enabled, and the way to override that is to use shim and put it into
> insecure mode. So you have plenty of options here:
> - build your kernel without the lockdown LSM

It would work but would be inconvenient for most users IMHO.

> - use the distro kernel with shim

1. If the shim is in secure mode -> I'm back to square 1 and effectively
   the lockdown is enforced
2. Unsecure mode -> anyone can boot anything
3. I need a custom shim to both enforce the signature and tell the
   kernel it hasn't. It would work but I think I will loose the
   signature/integrity on my cmdline and initrd

> - create a [signed] driver or uefi app that sets the volatile
> variable, and install it as a Driver### or SysPrep#### boot option
> 

I like this one, when I have some free time on my hands I will play
around it and keep the list informed.

> Adding command line options or any other setting that is not signed
> and is persistent kind of defeats the purpose, so I don't see a point
> in adding support for that.

On my case (I don't know how common it is), I bundle the
`kernel+initrd+cmdline` into a single EFI binary and sign the whole
thing. Making my command line a trusted source. I don't think the kernel
is aware of this and wonder if it could without some terrible hacks.

-- 
Antoine 'xdbob' Damhet

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2022-10-03  7:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-02 15:00 Disable lockdown while keeping SecureBoot enabled Antoine Damhet
2022-10-02 15:28 ` Ard Biesheuvel
2022-10-02 17:06   ` Antoine Damhet
2022-10-02 21:15     ` Ard Biesheuvel
2022-10-03  7:14       ` Antoine Damhet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).