[GIT PULL] Kernel lockdown for secure boot
Linus Torvalds
torvalds at linux-foundation.org
Tue Apr 3 23:08:43 UTC 2018
On Tue, Apr 3, 2018 at 3:51 PM, Matthew Garrett <mjg59 at google.com> wrote:
>
> Lockdown is clearly useful without Secure Boot (and I intend to deploy it
> that way for various things), but I still don't understand why you feel
> that the common case of booting a kernel from a boot chain that's widely
> trusted derives no benefit from it being harder to subvert that kernel into
> subverting that boot chain.
It has NOTHING TO DO WITH "HARDER TO SUBVERT".
THE TWO FEATURES HAVE NOTHING TO DO WITH EACH OTHER WHAT-SO-EVER.
I do not want my kernel to act differently depending on some really
esoteric detail in how it was booted. That is fundamentally wrong.
Is that really so hard to understand?
Look at it this way: maybe lockdown breaks some application because
that app does something odd. I get a report of that happening, and it
so happens that the reporter is running the same distro I am, so I try
it with his exact kernel configuration, and it works for me.
It is *entirely* non-obvious that the reporter happened to run a
distro kernel that had secure boot enabled, and I obviously do not.
See what the problem is? Tying these things magically together IS A BAD IDEA.
And when people ask you why you did it, YOU HAVE YET TO COME UP WITH A
SINGLE ACTUAL RESPONSE.
Instead, you just ask people why they care, or tell people to not enable it.
Seriously, Matthew, it's WRONG to tie things together in magic ways
when they have nothing what-so-ever to do with each other.
So no. The answer is simply "don't tie the two things together".
And dammit, if you tie them together, you had damn well have a good
reason. So far, your reasons have _literally_ been "Why not?" and
tried to make the onus be on others to explain to you why not.
That's not the right approach to begin with, Matthew. The onus is on
*you* to explain why you tied them together, not on others to explain
to you - over and over - that they have nothing to do with each other.
This discussion is over until you give an actual honest-to-goodness
reason for why you tied the two features together. No more "Why not?"
crap.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list