LWN: Comments on "Lockdown as a security module"

Lockdown as a security module

faramir — Fri, 28 Jun 2019 15:02:53 +0000

>I actually lean in the opposite direction - if you're not in control of the device signing keys, can you really say that you're the actual owner?

So you are in favor of confusing at least 99.5% of all people in the world about what this feature does? The only people who will understand what is written as you do will be people who have followed this discussion (mostly security geeks and Linux kernel programmers). The alternative wording will be understood by everyone who understand your preferred wording or at least will clue in people who aren't monitoring this discussion that this feature might not do what they want.

And if we are going to be pedantic about it, I would point out that it is likely that >99.5% of the legal "owners" of the systems in question will not in fact be "keyholders"; so your wording is false using the more widely understood legal meaning.

Lockdown as a security module

jfred — Fri, 28 Jun 2019 04:56:20 +0000

Agreed. I think attempting to use "neutral" terminology here disguises the fact that such systems are sometimes used as an instrument of power over the user.

See also game consoles, where manufacturers like to say that the software lockdown is a security measure. It's security for the manufacturer, not for the user.

Lockdown as a security module

nybble41 — Thu, 27 Jun 2019 17:03:50 +0000

I agree. The person holding the device signing keys is the de facto owner of the device—as in the one with the ability to exercise the rights of the owner with respect to the device. This is much more relevant than whoever the de jure owner might be. I would go so far as to say that claiming to sell a device while withholding the device's signing keys and not transferring control to the new de jure owner is an example of fraud. The sale has not been completed until full control of the device has been transferred to the new owner.

Lockdown as a security module

mjg59 — Thu, 27 Jun 2019 14:17:07 +0000

I actually lean in the opposite direction - if you're not in control of the device signing keys, can you really say that you're the actual owner?

Lockdown as a security module

dunlapg — Thu, 27 Jun 2019 12:37:25 +0000

Technologies like UEFI secure boot are intended to guarantee that a locked-down system is running the software intended by its owner (for a definition of "owner" as "whoever holds the signing key recognized by the firmware").

I think using a word like "owner" to mean "whoever holds the signing key" is a twisting of the facts at best (as evidenced by the way that "owner" is used in the next paragraph down); and that we should refuse to play along with this misleading terminology.

Something more neutral like "lockholder" or "keymaster" would be more accurate: "Technologies like UEFI secure boot are intended to guarantee that a locked-down system is running software intended by the lockholder" is perfectly understandable, and clues the reader in to the fact that the "lockholder" may or may not be the actual owner of the device.

Lockdown as a security module

james — Thu, 27 Jun 2019 09:04:14 +0000

Garrett [...] was less worried about incompatible changes.

I think we've seen enough vulnerabilities around this sort of software (Intel ME, AMD's PSP) that we can be sure that running a ten-year-old lockdown LSM is unlikely to be useful.