| From: |
| Linus Torvalds <torvalds-AT-linux-foundation.org> |
| To: |
| Matthew Garrett <mjg59-AT-google.com> |
| Subject: |
| Re: [GIT PULL] Kernel lockdown for secure boot |
| Date: |
| Tue, 3 Apr 2018 17:25:20 -0700 |
| Message-ID: |
| <CA+55aFwvuoSHhKnn82VnDndZ6oXMJgwHF604gZ=h3ehHyC600A@mail.gmail.com> |
| Cc: |
| Andrew Lutomirski <luto-AT-kernel.org>, David Howells <dhowells-AT-redhat.com>, Ard Biesheuvel <ard.biesheuvel-AT-linaro.org>, James Morris <jmorris-AT-namei.org>, Alan Cox <gnomes-AT-lxorguk.ukuu.org.uk>, Greg Kroah-Hartman <gregkh-AT-linuxfoundation.org>, Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org>, Justin Forbes <jforbes-AT-redhat.com>, linux-man <linux-man-AT-vger.kernel.org>, joeyli <jlee-AT-suse.com>, LSM List <linux-security-module-AT-vger.kernel.org>, Linux API <linux-api-AT-vger.kernel.org>, Kees Cook <keescook-AT-chromium.org>, linux-efi <linux-efi-AT-vger.kernel.org> |
On Tue, Apr 3, 2018 at 5:16 PM, Matthew Garrett <mjg59@google.com> wrote:
>
> I ignored it because it's not a viable option. Part of the patchset
> disables various kernel command line options. If there's a kernel command
> line option that disables the patchset then it's pointless.
Honestly, I don't think the patchset is viable at all in that case.
No way will any sane distribution take it, potentially breaking a lot
of machines, and have no way to unbreak them except for "oh, btw, you
have to disable secure boot to get things to work again".
That would be insane.
So you'd better allow some command line options.
One reasonable option may be to just disable lockdown by default (to
make machines work reliably), and then have a "if you're anal about
security, add 'lockdown' to the kernel command line".
People who care about this already need to check the secure boot
status, so this would be just one more thing they'd check.
Linus