From: Justin Forbes <jmforbes@linuxtx.org>
To: David Howells <dhowells@redhat.com>
Cc: James.Bottomley@hansenpartnership.com,
Peter Jones <pjones@redhat.com>,
joeyli.kernel@gmail.com,
ksummit-discuss@lists.linuxfoundation.org
Subject: Re: [Ksummit-discuss] [TECH TOPIC] Kernel lockdown and secure boot
Date: Wed, 5 Sep 2018 15:34:04 -0500 [thread overview]
Message-ID: <CAFxkdAoiQMuzEq1Dv0=fO6uB2fLcc+0Wb+zuVvSFsAweROfhQQ@mail.gmail.com> (raw)
In-Reply-To: <32341.1536178494@warthog.procyon.org.uk>
On Wed, Sep 5, 2018 at 3:14 PM, David Howells <dhowells@redhat.com> wrote:
> Justin Forbes <jmforbes@linuxtx.org> wrote:
>
>> Lockdown is a config option on it's own, just also add a separate
>> config option option to enable lockdown on UEFI secure boot.
>
> The patchset has that already (CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT).
>
> One of the issues appears to be that we're making it boot-time conditional at
> all. If I understand him correctly, Linus seems to want us to make everything
> locked down at compile time or not at all.
>
The last push attempt dropped that patch and did have the compile time
(CONFIG_LOCK_DOWN_MANDATORY) as well as an option for command line
enabling with lockdown=1 (CONFIG_LOCK_DOWN_KERNEL). It just didn't
have an option for triggering off of UEFI Secure Boot. As a distro,
running CONFIG_LOCK_DOWN_MANDATORY isn't much of an option. We ran
the 4.17 development series in rawhide with CONFIG_LOCK_DOWN_KERNEL,
and no one noticed that their secure boot was off. This is why it is
somewhat frightening to change the behavior, users assume it is all
working because things boot, and never notice they are missing some
protection that they assumed was there. Before we rebased stable
distros I reworked the CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT to work
with the current patch set and that is what we are carrying now.
While I would love to see everything pushed as a whole, I would still
be much happier than I am now if everything else pushed and we only
had to carry the patch to trigger off of UEFI status. It is a minor
detail that shouldn't be blocking the entire patch set at this point.
If Linus agrees that it can be pushed with CONFIG_LOCK_DOWN_MANDATORY
as the only option, that is fine. Still much less out of tree for us
to worry about.
next prev parent reply other threads:[~2018-09-05 20:34 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-05 16:53 David Howells
2018-09-05 19:33 ` Jiri Kosina
2018-09-05 19:51 ` Justin Forbes
2018-09-05 20:14 ` David Howells
2018-09-05 20:34 ` Justin Forbes [this message]
2018-09-05 20:53 ` Andy Lutomirski
2018-09-05 21:01 ` Justin Forbes
2018-09-06 6:53 ` joeyli
2018-09-06 10:00 ` Jani Nikula
2018-09-06 10:05 ` David Howells
2018-09-06 10:21 ` Jani Nikula
2018-09-07 19:53 ` Mauro Carvalho Chehab
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAFxkdAoiQMuzEq1Dv0=fO6uB2fLcc+0Wb+zuVvSFsAweROfhQQ@mail.gmail.com' \
--to=jmforbes@linuxtx.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=dhowells@redhat.com \
--cc=joeyli.kernel@gmail.com \
--cc=ksummit-discuss@lists.linuxfoundation.org \
--cc=pjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox