Re: [GIT PULL] Kernel lockdown for secure boot

From: Linus Torvalds
Date: Tue Apr 03 2018 - 19:27:38 EST

Next message: Wanpeng Li: "[PATCH v5 0/2] KVM: X86: Add Force Emulation Prefix for "emulate the next instruction""
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 3, 2018 at 4:12 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> What use is secure boot if processes run as root can subvert your kernel?

Stop this idiocy.

The above has now been answered multiple times, several different ways.

The "point" of secure boot may be that you had no choice, or there was
no point at all, it just came that way.

Or the "point" of secure boot may be that you don't trust anybody else
than yourself, but once you've booted you do trust what you booted.

But the *real* point is that this has nothing what-so-ever to do with
secure boot. You may want (or not want) lockdown independently of it.
Don't tie magic boot issues with kernel runtime behavior.

Linus

Next message: Wanpeng Li: "[PATCH v5 0/2] KVM: X86: Add Force Emulation Prefix for "emulate the next instruction""
Previous message: Linus Torvalds: "Re: [GIT PULL] Kernel lockdown for secure boot"
In reply to: David Howells: "Re: [GIT PULL] Kernel lockdown for secure boot"
Next in thread: Andy Lutomirski: "Re: [GIT PULL] Kernel lockdown for secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]