Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
Quoting Matthew Garrett (m...@redhat.com): > From: Josh Boyer > > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset > in the init_cred struct, which everything else inherits from. This works on > any machine and can be used to develop even if the box doesn't have UEFI. > > Signed-off-by: Josh Boyer Acked-by: Serge E. Hallyn > --- > kernel/cred.c | 17 + > 1 file changed, 17 insertions(+) > > diff --git a/kernel/cred.c b/kernel/cred.c > index de728ac..7e6e83f 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -623,6 +623,23 @@ void __init cred_init(void) >0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > } > > +void __init secureboot_enable() > +{ > + pr_info("Secure boot enabled\n"); > + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > +} > + > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > +static int __init secureboot_enable_opt(char *str) > +{ > + int sb_enable = !!simple_strtol(str, NULL, 0); > + if (sb_enable) > + secureboot_enable(); > + return 1; > +} > +__setup("secureboot_enable=", secureboot_enable_opt); > + > /** > * prepare_kernel_cred - Prepare a set of credentials for a kernel service > * @daemon: A userspace daemon to be used as a reference > -- > 1.7.11.4 > > -- > To unsubscribe from this list: send the line "unsubscribe > linux-security-module" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
Quoting Matthew Garrett (m...@redhat.com): From: Josh Boyer jwbo...@redhat.com This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com --- kernel/cred.c | 17 + 1 file changed, 17 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- 1.7.11.4 -- To unsubscribe from this list: send the line unsubscribe linux-security-module in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
於 四,2012-09-20 於 10:41 -0400,Matthew Garrett 提到: > From: Josh Boyer > > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset > in the init_cred struct, which everything else inherits from. This works on > any machine and can be used to develop even if the box doesn't have UEFI. > > Signed-off-by: Josh Boyer Patch works to me for test lock the IO port access. Tested-by: Lee, Chun-Yi Joey Lee > --- > kernel/cred.c | 17 + > 1 file changed, 17 insertions(+) > > diff --git a/kernel/cred.c b/kernel/cred.c > index de728ac..7e6e83f 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -623,6 +623,23 @@ void __init cred_init(void) >0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > } > > +void __init secureboot_enable() > +{ > + pr_info("Secure boot enabled\n"); > + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > +} > + > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > +static int __init secureboot_enable_opt(char *str) > +{ > + int sb_enable = !!simple_strtol(str, NULL, 0); > + if (sb_enable) > + secureboot_enable(); > + return 1; > +} > +__setup("secureboot_enable=", secureboot_enable_opt); > + > /** > * prepare_kernel_cred - Prepare a set of credentials for a kernel service > * @daemon: A userspace daemon to be used as a reference -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
於 四,2012-09-20 於 10:41 -0400,Matthew Garrett 提到: From: Josh Boyer jwbo...@redhat.com This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com Patch works to me for test lock the IO port access. Tested-by: Lee, Chun-Yi j...@suse.com Joey Lee --- kernel/cred.c | 17 + 1 file changed, 17 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); + /** * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Thu, Sep 20, 2012 at 05:32:37PM +0100, Greg KH wrote: > On Thu, Sep 20, 2012 at 10:41:02AM -0400, Matthew Garrett wrote: > > From: Josh Boyer > > > > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and > > cap_bset > > in the init_cred struct, which everything else inherits from. This works on > > any machine and can be used to develop even if the box doesn't have UEFI. > > > > Signed-off-by: Josh Boyer > > --- > > kernel/cred.c | 17 + > > 1 file changed, 17 insertions(+) > > > > diff --git a/kernel/cred.c b/kernel/cred.c > > index de728ac..7e6e83f 100644 > > --- a/kernel/cred.c > > +++ b/kernel/cred.c > > @@ -623,6 +623,23 @@ void __init cred_init(void) > > 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > > } > > > > +void __init secureboot_enable() > > +{ > > + pr_info("Secure boot enabled\n"); > > + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > > + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > > +} > > + > > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > > +static int __init secureboot_enable_opt(char *str) > > +{ > > + int sb_enable = !!simple_strtol(str, NULL, 0); > > + if (sb_enable) > > + secureboot_enable(); > > + return 1; > > +} > > +__setup("secureboot_enable=", secureboot_enable_opt); > > Document this please in the bootparams file. Oops, yes. Will do. Thanks for pointing it out. josh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Thu, Sep 20, 2012 at 10:41:02AM -0400, Matthew Garrett wrote: > From: Josh Boyer > > This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset > in the init_cred struct, which everything else inherits from. This works on > any machine and can be used to develop even if the box doesn't have UEFI. > > Signed-off-by: Josh Boyer > --- > kernel/cred.c | 17 + > 1 file changed, 17 insertions(+) > > diff --git a/kernel/cred.c b/kernel/cred.c > index de728ac..7e6e83f 100644 > --- a/kernel/cred.c > +++ b/kernel/cred.c > @@ -623,6 +623,23 @@ void __init cred_init(void) >0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); > } > > +void __init secureboot_enable() > +{ > + pr_info("Secure boot enabled\n"); > + cap_lower((_cred)->cap_bset, CAP_COMPROMISE_KERNEL); > + cap_lower((_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); > +} > + > +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ > +static int __init secureboot_enable_opt(char *str) > +{ > + int sb_enable = !!simple_strtol(str, NULL, 0); > + if (sb_enable) > + secureboot_enable(); > + return 1; > +} > +__setup("secureboot_enable=", secureboot_enable_opt); Document this please in the bootparams file. thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Thu, Sep 20, 2012 at 10:41:02AM -0400, Matthew Garrett wrote: From: Josh Boyer jwbo...@redhat.com This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com --- kernel/cred.c | 17 + 1 file changed, 17 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); Document this please in the bootparams file. thanks, greg k-h -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode
On Thu, Sep 20, 2012 at 05:32:37PM +0100, Greg KH wrote: On Thu, Sep 20, 2012 at 10:41:02AM -0400, Matthew Garrett wrote: From: Josh Boyer jwbo...@redhat.com This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset in the init_cred struct, which everything else inherits from. This works on any machine and can be used to develop even if the box doesn't have UEFI. Signed-off-by: Josh Boyer jwbo...@redhat.com --- kernel/cred.c | 17 + 1 file changed, 17 insertions(+) diff --git a/kernel/cred.c b/kernel/cred.c index de728ac..7e6e83f 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,6 +623,23 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +void __init secureboot_enable() +{ + pr_info(Secure boot enabled\n); + cap_lower((init_cred)-cap_bset, CAP_COMPROMISE_KERNEL); + cap_lower((init_cred)-cap_permitted, CAP_COMPROMISE_KERNEL); +} + +/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ +static int __init secureboot_enable_opt(char *str) +{ + int sb_enable = !!simple_strtol(str, NULL, 0); + if (sb_enable) + secureboot_enable(); + return 1; +} +__setup(secureboot_enable=, secureboot_enable_opt); Document this please in the bootparams file. Oops, yes. Will do. Thanks for pointing it out. josh -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/