Re: Supported way to require that a service be stopped prior to installing an .rpm package?

Thanks! Moved this topic to devel. Jeff On Tue, Oct 25, 2016 at 7:42 PM, Laura Abbott wrote: > On 10/25/2016 04:23 PM, jha...@gmail.com wrote: > >> Hello, >> >> My team is building and maintaining a fairly complex software stack that >> is being packaged via rpm. As part

Re: Supported way to require that a service be stopped prior to installing an .rpm package?

On 10/25/2016 04:23 PM, jha...@gmail.com wrote: Hello, My team is building and maintaining a fairly complex software stack that is being packaged via rpm. As part of the requirements, the service provided by the .rpm file must be stopped prior to installation / update of the package. Is

Re: Welcome to the "kernel" mailing list

jha...@gmail.com On Tue, Oct 25, 2016 at 7:23 PM, wrote: > Welcome to the "kernel" mailing list! > > To post to this list, send your email to: > > kernel@lists.fedoraproject.org > > You can make such adjustments via email by sending a message to: > >

Re: Kernel configurations for Fedora

On 10/25/2016 10:53 AM, Paul Bolle wrote: On Tue, 2016-10-25 at 10:46 -0700, Laura Abbott wrote: Anyone have experiences with or opinions about the kernel configuration generation? The goal is to only change the way the configurations are generated and not the options that are enabled. Naive

Re: Kernel configurations for Fedora

On Tue, 2016-10-25 at 16:26 -0400, Jarod Wilson wrote: > Should be a simple enough thing to script even, > to get a "stale config options" report, the output of which could be fed > to a find command that removes them from the configs/ tree... Something like scripts/check-configs.pl? Paul Bolle

Re: Kernel configurations for Fedora

On Tue, Oct 25, 2016 at 04:17:25PM -0400, John W. Linville wrote: > On Tue, 2016-10-25 at 15:59 -0400, Jarod Wilson wrote: > > On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote: > > > > > > On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote: > > > > > > > > The Fedora kernel

Re: Kernel configurations for Fedora

On Tue, 2016-10-25 at 15:59 -0400, Jarod Wilson wrote: > On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote: > > > > On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote: > > > > > > The Fedora kernel has had roughly the same system for generating > > > the kernel configuration

Re: Kernel configurations for Fedora

On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote: > On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote: > > The Fedora kernel has had roughly the same system for generating > > the kernel configuration for a very long time. There are a series > > of files listing configuration

Re: Kernel configurations for Fedora

On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote: > The Fedora kernel has had roughly the same system for generating > the kernel configuration for a very long time. There are a series > of files listing configuration choices (CONFIG_FOO=y, CONFIG_FOO > is not set etc.) that get

Re: Kernel configurations for Fedora

On Tue, 2016-10-25 at 10:46 -0700, Laura Abbott wrote: > Anyone have experiences with or opinions about the kernel > configuration generation? The goal is to only change the way > the configurations are generated and not the options that are > enabled. Naive question: why can't we use one .config

Kernel configurations for Fedora

The Fedora kernel has had roughly the same system for generating the kernel configuration for a very long time. There are a series of files listing configuration choices (CONFIG_FOO=y, CONFIG_FOO is not set etc.) that get combined to generate the final config files. This has gotten unsustainable

[PATCH 19/20] MODSIGN: Support not importing certs from db

If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. Have the uefi import code look for this and not import things from the db variable. Signed-off-by: Josh Boyer ---

[PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot

Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This allows for a third party signing certificate to be used in conjunction with signed modules. By importing the public certificate into the 'db' variable, a

[PATCH 17/20] KEYS: Add a system blacklist keyring

This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules and if the module's certificate is found, it will refuse to load. This is useful in cases where third party certificates are used for module

[PATCH 20/20] Add sysrq option to disable secure boot mode

From: Kyle McMartin Bugzilla: N/A Upstream-status: Fedora mustard --- arch/x86/kernel/setup.c | 36 drivers/input/misc/uinput.c | 1 + drivers/tty/sysrq.c | 19 +-- include/linux/input.h | 5 +

[PATCH 16/20] Add an EFI signature blob parser and key loader.

From: Dave Howells X.509 certificates are loaded into the specified keyring as asymmetric type keys. [labb...@fedoraproject.org: Drop KEY_ALLOC_TRUSTED] Signed-off-by: David Howells --- crypto/asymmetric_keys/Kconfig | 8 +++

[PATCH 09/20] x86: Restrict MSR access when module loading is restricted

From: Matthew Garrett Writing to MSRs should not be allowed if module loading is restricted, since it could lead to execution of arbitrary code in kernel mode. Based on a patch by Kees Cook. Cc: Kees Cook Signed-off-by: Matthew Garrett

[PATCH 15/20] Add EFI signature data types

From: Dave Howells Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. Bugzilla: N/A Upstream-status: Fedora mustard for now Signed-off-by: David Howells --- include/linux/efi.h | 17

[PATCH 14/20] hibernate: Disable in a signed modules environment

There is currently no way to verify the resume image when returning from hibernate. This might compromise the signed modules trust model, so until we can work with signed hibernate images we disable it in a secure modules environment. Signed-off-by: Josh Boyer ---

[PATCH 13/20] efi: Add EFI_SECURE_BOOT bit

UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit for use with efi_enabled. Signed-off-by: Josh Boyer --- arch/x86/kernel/setup.c | 2 ++ include/linux/efi.h | 1 + 2 files changed, 3 insertions(+) diff --git a/arch/x86/kernel/setup.c

[PATCH 12/20] efi: Disable secure boot if shim is in insecure mode

A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called MokSBState that does not have the runtime attribute set. Given that the user explicitly disabled validation, we can honor that and not enable secure

[PATCH 10/20] Add option to automatically enforce module signatures when in Secure Boot mode

From: Matthew Garrett UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that all kernel modules also be signed. Add a configuration option that enforces this

[PATCH 11/20] efi: Add SHIM and image security database GUID definitions

Add the definitions for shim and image security database, both of which are used widely in various Linux distros. Signed-off-by: Josh Boyer --- include/linux/efi.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h index

[PATCH 04/20] ACPI: Limit access to custom_method

From: Matthew Garrett custom_method effectively allows arbitrary access to system memory, making it possible for an attacker to circumvent restrictions on module loading. Disable it if any such restrictions have been enabled. Signed-off-by: Matthew Garrett

[PATCH 08/20] kexec: Disable at runtime if the kernel enforces module loading restrictions

From: Matthew Garrett kexec permits the loading and execution of arbitrary code in ring 0, which is something that module signing enforcement is meant to prevent. It makes sense to disable kexec in this situation. Signed-off-by: Matthew Garrett

[PATCH 05/20] asus-wmi: Restrict debugfs interface when module loading is restricted

From: Matthew Garrett We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to be manipulated in such a way that arbitrary code can be executed in the kernel, circumventing module

[PATCH 02/20] PCI: Lock down BAR access when module security is enabled

From: Matthew Garrett Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to modify kernel code, allowing them to circumvent disabled module loading or module signing. Default to

[PATCH 01/20] Add secure_modules() call

From: Matthew Garrett Provide a single call to allow kernel code to determine whether the system has been configured to either disable module loading entirely or to load only modules signed with a trusted key. Bugzilla: N/A Upstream-status: Fedora mustard. Replaced

[PATCH 03/20] x86: Lock down IO port access when module security is enabled

From: Matthew Garrett IO port access would permit users to gain access to PCI configuration registers, which in turn (on a lot of hardware) give access to MMIO register space. This would potentially permit root to trigger arbitrary DMA, so lock it down by default.

Refresh Secure Boot patchset

The upstream 0-day bot found an issue with the existing patchset in the rawhide kernel. Everything builds fine as a whole, but if one were to bisect the patches, a build would break because the shim GUID is used in a patch before it is actually defined. Fix this by inserting a patch in the