Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Matthew Garrett <matthew.garrett@nebula.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>,
	Borislav Petkov <bp@alien8.de>, Kees Cook <keescook@chromium.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>, "x86@kernel.org" <x86@kernel.org>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: [PATCH] x86: Lock down MSR writing in secure boot
Date: Wed, 13 Feb 2013 18:51:30 +0000	[thread overview]
Message-ID: <1360781490.18083.45.camel@x230.lan> (raw)
In-Reply-To: <511BDF0F.2000005@zytor.com>

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 959 bytes --]

On Wed, 2013-02-13 at 10:44 -0800, H. Peter Anvin wrote:

> So people have piggybacked complete inappropriate junk onto 
> CAP_SYS_RAWIO.  Great.  What the hell do we do now?  We can't break 
> apart CAP_SYS_RAWIO because we don't have hierarchical capabilities.

Yeah. Like I said, it's approximately useless.

> We thus have a bunch of unpalatable choices, **all of which are wrong**.
> 
> This, incidentally, is *exactly* the reason I object to 
> CAP_COMPROMISE_KERNEL as well... it describes a usage model, not a resource.

Like I said, I'm not wed to a capability-based model. However, it does
seem marginally more attractive than sprinkling if (!secure_boot) all
over the place. If anyone has alternatives, this would be a great time
to raise them.

-- 
Matthew Garrett | mjg59@srcf.ucam.org
ÿôèº{.nÇ+‰·Ÿ®‰†+%ŠËÿ±éÝ¶\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dÊ‡Ú™ë,j\a¢f£¢·hšïêÿ‘êçz_è®\x03(éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨èÚ&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥