Announcement

Collapse
No announcement yet.

Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

    Phoronix: Torvalds Expresses Concerns Over Current "Kernel Lockdown" Approach

    The kernel lockdown feature further restricts access to the kernel by user-space with what can be accessed or modified, including different /dev points, ACPI restrictions, not allowing unsigned modules, and various other restrictions in the name of greater security. Pairing that with UEFI SecureBoot unconditionally is meeting some resistance by Linus Torvalds...

    http://www.phoronix.com/scan.php?pag...kdown-Concerns

  • #2
    He's right. Secure Boot as it is being pushed is nothing more than a DRM grab. Mind you both kernel lockdown and something like secure boot (cryptographically validated kernel / initramfs) are a good thing overall for security, but *only* under the direct and sole control of the machine's owner. Furthermore, there are applications where a measured boot (Google Chromebooks / Raptor Talos II / etc.) will provide the needed security without the pleading and begging for access from the vendor (yes, I know *currently* most UEFI implementations allow upload of secondary / tertiary keys for OS load, but this is changing and you still don't get control of the primary keys for firmware changes).

    Look how far pleading and begging for Linux DVD and BluRay playback got the community (hint: still illegal to play both on Linux). Do we really want this going forward for access to "our" computer resources?? Good on Linus for pushing back on forcing kernel lockdown for secure boot enabled systems; those who need it can enable it as desired...

    Comment


    • #3
      Linus for president...

      Comment


      • #4
        Most of the cases where there's a valid reason to force this behavior, it can be forced in different ways. Like you could put it in the bootloader or kernel parameters. And for the very few systems which need this to be absolutely inviolable, they could put it in the EFI firmware, or use a custom CoreBoot payload. There's plenty of means for this. Users and distros which want to opt in can do it with little effort.

        For consumer systems, though, many of us don't want it mandated for us. It's just going to be used by DRM-ed applications so they can assume that they only run if SecureBoot is enabled. And then there'll be pressure to hamstring the SecureBoot EFI support for user-provided keys, or to not allow it to be disabled. And people will claim it "doesn't really matter" because the major distro kernels are signed. We've already seen several botched implementations of secure boot, and Matthew Garrett (of all people) should know better than most how often the BIOS/EFI can do things wrong. He regularly posted about firmware fuckups for a while, and he's been working with EFI for a long time. Let's not let the BIOS/EFI settings universally dictate how the kernel runs.

        Comment


        • #5
          Wonder what would happen if Linus wasn't there to stop these "features"...

          Comment


          • #6
            I was accidentally not logged in on a mobile web browser, holy crap this website and thw forum is full of ads.

            Comment


            • #7
              Originally posted by asdfblah View Post
              Wonder what would happen if Linus wasn't there to stop these "features"...
              Anyone know yet if he's growing a competent protege for when he steps down?

              Comment


              • #8
                Originally posted by asdfblah View Post
                Wonder what would happen if Linus wasn't there to stop these "features"...
                there would be pottering and friends there backed by NSA people. And kdbus would be just the beginning...

                Comment


                • #9
                  Originally posted by M1kkko View Post
                  I was accidentally not logged in on a mobile web browser, holy crap this website and thw forum is full of ads.
                  I use an ad-blocker despite Michaels pleads not to use one. Phoronix.com is absolutely unusable without ad-blocker.

                  Comment


                  • #10
                    Originally posted by lowflyer View Post

                    I use an ad-blocker despite Michaels pleads not to use one. Phoronix.com is absolutely unusable without ad-blocker.
                    Meh, the lifetime premium price is/was not that much. Totally worth it over the years.

                    Comment

                    Working...
                    X