Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
於 二,2012-10-30 於 13:48 -0400,Josh Boyer 提到: > On Mon, Oct 29, 2012 at 05:00:06PM +0800, joeyli wrote: > > Hi Josh, > > Tahashi has a good idea for use strtobool to allow > > 'secureboot_enable=yes' works. Please consider the following change. > > > > > > Thanks a lot! > > Joey Lee > > > > >From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 > > From: Lee, Chun-Yi > > Date: Mon, 29 Oct 2012 16:36:57 +0800 > > Subject: [PATCH] efi: more user-friendly secureboot_enable parameter > > > > From: Takashi Iwai > > > > Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. > > > > Signed-off-by: Lee, Chun-Yi > > --- > > kernel/cred.c |5 +++-- > > 1 files changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/kernel/cred.c b/kernel/cred.c > > index 3f5be65..70897a2 100644 > > --- a/kernel/cred.c > > +++ b/kernel/cred.c > > @@ -633,9 +633,10 @@ void __init secureboot_enable() > > /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > > static int __init secureboot_enable_opt(char *str) > > { > > - int sb_enable = !!simple_strtol(str, NULL, 0); > > - if (sb_enable) > > + bool sb_enable; > > + if (!strtobool(str, _enable) && sb_enable) > > secureboot_enable(); > > + > > return 1; > > } > > __setup("secureboot_enable=", secureboot_enable_opt); > > This seems like a good change to me. If you don't mind, I'll rework the > existing patch to do this since it hasn't been accepted upstream yet and > give Takashi-san and you appropriate credit in the commit log. > > josh > Thanks for your review and feel free add to your reworked patch. Joey Lee -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Mon, Oct 29, 2012 at 05:00:06PM +0800, joeyli wrote: > Hi Josh, > Tahashi has a good idea for use strtobool to allow > 'secureboot_enable=yes' works. Please consider the following change. > > > Thanks a lot! > Joey Lee > > >From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 > From: Lee, Chun-Yi > Date: Mon, 29 Oct 2012 16:36:57 +0800 > Subject: [PATCH] efi: more user-friendly secureboot_enable parameter > > From: Takashi Iwai > > Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. > > Signed-off-by: Lee, Chun-Yi > --- > kernel/cred.c |5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/kernel/cred.c b/kernel/cred.c > index 3f5be65..70897a2 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -633,9 +633,10 @@ void __init secureboot_enable() > /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > static int __init secureboot_enable_opt(char *str) > { > - int sb_enable = !!simple_strtol(str, NULL, 0); > - if (sb_enable) > + bool sb_enable; > + if (!strtobool(str, _enable) && sb_enable) > secureboot_enable(); > + > return 1; > } > __setup("secureboot_enable=", secureboot_enable_opt); This seems like a good change to me. If you don't mind, I'll rework the existing patch to do this since it hasn't been accepted upstream yet and give Takashi-san and you appropriate credit in the commit log. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Mon, Oct 29, 2012 at 05:00:06PM +0800, joeyli wrote: Hi Josh, Tahashi has a good idea for use strtobool to allow 'secureboot_enable=yes' works. Please consider the following change. Thanks a lot! Joey Lee From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 From: Lee, Chun-Yi j...@suse.com Date: Mon, 29 Oct 2012 16:36:57 +0800 Subject: [PATCH] efi: more user-friendly secureboot_enable parameter From: Takashi Iwai ti...@suse.de Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. Signed-off-by: Lee, Chun-Yi j...@suse.com --- kernel/cred.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index 3f5be65..70897a2 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -633,9 +633,10 @@ void __init secureboot_enable() /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ static int __init secureboot_enable_opt(char *str) { - int sb_enable = !!simple_strtol(str, NULL, 0); - if (sb_enable) + bool sb_enable; + if (!strtobool(str, sb_enable) sb_enable) secureboot_enable(); + return 1; } __setup(secureboot_enable=, secureboot_enable_opt); This seems like a good change to me. If you don't mind, I'll rework the existing patch to do this since it hasn't been accepted upstream yet and give Takashi-san and you appropriate credit in the commit log. josh -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
於 二,2012-10-30 於 13:48 -0400,Josh Boyer 提到: On Mon, Oct 29, 2012 at 05:00:06PM +0800, joeyli wrote: Hi Josh, Tahashi has a good idea for use strtobool to allow 'secureboot_enable=yes' works. Please consider the following change. Thanks a lot! Joey Lee From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 From: Lee, Chun-Yi j...@suse.com Date: Mon, 29 Oct 2012 16:36:57 +0800 Subject: [PATCH] efi: more user-friendly secureboot_enable parameter From: Takashi Iwai ti...@suse.de Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. Signed-off-by: Lee, Chun-Yi j...@suse.com --- kernel/cred.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index 3f5be65..70897a2 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -633,9 +633,10 @@ void __init secureboot_enable() /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ static int __init secureboot_enable_opt(char *str) { - int sb_enable = !!simple_strtol(str, NULL, 0); - if (sb_enable) + bool sb_enable; + if (!strtobool(str, sb_enable) sb_enable) secureboot_enable(); + return 1; } __setup(secureboot_enable=, secureboot_enable_opt); This seems like a good change to me. If you don't mind, I'll rework the existing patch to do this since it hasn't been accepted upstream yet and give Takashi-san and you appropriate credit in the commit log. josh Thanks for your review and feel free add to your reworked patch. Joey Lee -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
Hi Josh, 於 二,2012-09-25 於 09:08 -0400,Josh Boyer 提到: > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset > in the init_cred struct, which everything else inherits from. This works on > any machine and can be used to develop even if the box doesn't have UEFI. > > Signed-off-by: Josh Boyer > --- > Documentation/kernel-parameters.txt | 7 +++ > kernel/cred.c | 17 + > 2 files changed, 24 insertions(+) > > diff --git a/Documentation/kernel-parameters.txt > b/Documentation/kernel-parameters.txt > index 9b2b8d3..93978d5 100644 ... > diff --git a/kernel/cred.c b/kernel/cred.c > index de728ac..7e6e83f 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -623,6 +623,23 @@ void __init cred_init(void) >0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > } > > +void __init secureboot_enable() > +{ ... > + > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > +static int __init secureboot_enable_opt(char *str) > +{ > + int sb_enable = !!simple_strtol(str, NULL, 0); > + if (sb_enable) > + secureboot_enable(); > + return 1; > +} > +__setup("secureboot_enable=", secureboot_enable_opt); > + > Tahashi has a good idea for use strtobool to allow 'secureboot_enable=yes' works. Please consider the following change. Thanks a lot! Joey Lee >From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 From: Lee, Chun-Yi Date: Mon, 29 Oct 2012 16:36:57 +0800 Subject: [PATCH] efi: more user-friendly secureboot_enable parameter From: Takashi Iwai Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. Signed-off-by: Lee, Chun-Yi --- kernel/cred.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index 3f5be65..70897a2 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -633,9 +633,10 @@ void __init secureboot_enable() /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ static int __init secureboot_enable_opt(char *str) { - int sb_enable = !!simple_strtol(str, NULL, 0); - if (sb_enable) + bool sb_enable; + if (!strtobool(str, _enable) && sb_enable) secureboot_enable(); + return 1; } __setup("secureboot_enable=", secureboot_enable_opt); -- 1.6.0.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
Hi Josh, 於 二,2012-09-25 於 09:08 -0400,Josh Boyer 提到: This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com --- Documentation/kernel-parameters.txt | 7 +++ kernel/cred.c | 17 + 2 files changed, 24 insertions(+) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 9b2b8d3..93978d5 100644 ... diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ ... + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); + Tahashi has a good idea for use strtobool to allow 'secureboot_enable=yes' works. Please consider the following change. Thanks a lot! Joey Lee From f6841a476f3d332fe7b04cb716e0b518cccd5055 Mon Sep 17 00:00:00 2001 From: Lee, Chun-Yi j...@suse.com Date: Mon, 29 Oct 2012 16:36:57 +0800 Subject: [PATCH] efi: more user-friendly secureboot_enable parameter From: Takashi Iwai ti...@suse.de Use strtobool can allow 'secureboot_enable=yes', it's more user-friendly. Signed-off-by: Lee, Chun-Yi j...@suse.com --- kernel/cred.c |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/cred.c b/kernel/cred.c index 3f5be65..70897a2 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -633,9 +633,10 @@ void __init secureboot_enable() /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ static int __init secureboot_enable_opt(char *str) { - int sb_enable = !!simple_strtol(str, NULL, 0); - if (sb_enable) + bool sb_enable; + if (!strtobool(str, sb_enable) sb_enable) secureboot_enable(); + return 1; } __setup(secureboot_enable=, secureboot_enable_opt); -- 1.6.0.2 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer --- Documentation/kernel-parameters.txt | 7 +++ kernel/cred.c | 17 + 2 files changed, 24 insertions(+) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 9b2b8d3..93978d5 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2562,6 +2562,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. + secureboot_enable= + [KNL] Enables an emulated UEFI Secure Boot mode. This + locks down various aspects of the kernel guarded by the + CAP_COMPROMISE_KERNEL capability. This includes things + like /dev/mem, IO port access, and other areas. It can + be used on non-UEFI machines for testing purposes. + security= [SECURITY] Choose a security module to enable at boot. If this boot parameter is not specified, only the first security module asking for security registration will be diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info("Secure boot enabled\n"); + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup("secureboot_enable=", secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- 1.7.11.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH V3 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com --- Documentation/kernel-parameters.txt | 7 +++ kernel/cred.c | 17 + 2 files changed, 24 insertions(+) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 9b2b8d3..93978d5 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt @@ -2562,6 +2562,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. + secureboot_enable= + [KNL] Enables an emulated UEFI Secure Boot mode. This + locks down various aspects of the kernel guarded by the + CAP_COMPROMISE_KERNEL capability. This includes things + like /dev/mem, IO port access, and other areas. It can + be used on non-UEFI machines for testing purposes. + security= [SECURITY] Choose a security module to enable at boot. If this boot parameter is not specified, only the first security module asking for security registration will be diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- 1.7.11.4 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/