Re: [GIT PULL] Kernel lockdown for secure boot

From: Jann Horn
Date: Tue Apr 03 2018 - 20:18:24 EST


On Wed, Apr 4, 2018 at 2:06 AM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, Apr 3, 2018 at 4:59 PM, Matthew Garrett <mjg59@xxxxxxxxxx> wrote:
>>
>> Ok. So we can build distribution kernels that *always* have this on, and to
>> turn it off you have to disable Secure Boot and install a different kernel.
>
> Bingo.
>
> Exactly like EVERY OTHER KERNEL CONFIG OPTION.
>
> Just like all the ones that I've mentioned several times.
>
> Or, like a lot of other kernel options, maybe have a way to just
> disable it on the kernel command line, and let the user know about it.
>
> That would still be better than disabling secure boot entirely in your
> world view, so it's (a) more convenient and (b) better.
>
> Again, in no case does it make sense to tie it into "how did we boot".
> Because that's just inconvenient for everybody.

Without taking a stance regarding whether I think that kernel lockdown
makes sense, I think Matthew's point is this:
If you don't have lockdown, secure boot doesn't provide a benefit,
since an attacker could just modify the init binary instead of messing
with your kernel.
If you have secure boot, you want lockdown to prevent chainloading
into a backdoored version of the real OS.