Re: [GIT PULL] Kernel lockdown for secure boot

From: Andy Lutomirski
Date: Mon Apr 02 2018 - 21:47:14 EST



> On Apr 2, 2018, at 5:59 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
>> On Mon, Apr 2, 2018 at 5:37 PM, Andy Lutomirski <luto@xxxxxxxxxx> wrote:
>>> On 03/30/2018 05:46 PM, James Morris wrote:
>>>
>>>> On Sat, 31 Mar 2018, David Howells wrote:
>>>>
>>>> Date: Thu, 26 Oct 2017 17:37:38 +0100
>>>>
>>>> Hi James,
>>>>
>>>> Can you pull this patchset into security/next please? It has been in
>>>> linux-next since the beginning of March.
>>>>
>>>> It adds kernel lockdown support for EFI secure boot.
>>>
>>>
>>> Applied to
>>> git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git
>>> next-lockdown and next-testing
>>>
>>> Are there any known coverage gaps now?
>>>
>>>
>>>
>>
>> This is an attempt at a review. I'm replying here because I can't find the
>> actual relevant patch emails.
>>
>> Cover letter:
>>
>>> Here's a set of patches to institute a "locked-down mode" in the
>>> kernel and to trigger that mode if the kernel is booted in secure-boot >
>>> mode or through the command line.
>>
>> I think this is seriously problematic in that it's not well defined. It
>> sounds like "locked-down mode" means "make me feel good about something".
>
> Naming of this feature has been multi-year bikeshedding, so if we
> could just leave the name, that'd be nice.

Fair enough. How about enum kernel_lockdown_level with three modes?

>
>

>> "Restrict /dev/{mem,kmem,port} when the kernel is locked down": this should
>> probably split into one restriction for read and one for write.
>
> I think splitting read and write is only useful if there is a use-case
> for only blocking one of them. I struggle to imagine allowing write
> and blocking read, so really it's the case of wanting to allow read
> and disallow write. Is there actually a use-case for this? In all the
> "locked down" cases I've seen, both are desired.
>

Letâs suppose for the sake of argument that UEFI really has a good reason to block writes. Blocking reads (kprobes, perf, etc) sounds extremely annoying, especially if running a stock distro, and Iâd much rather not do it unless thereâs a specific use case that needs it.