Thanks! Moved this topic to devel.
Jeff
On Tue, Oct 25, 2016 at 7:42 PM, Laura Abbott wrote:
> On 10/25/2016 04:23 PM, jha...@gmail.com wrote:
>
>> Hello,
>>
>> My team is building and maintaining a fairly complex software stack that
>> is being packaged via rpm. As part
On 10/25/2016 04:23 PM, jha...@gmail.com wrote:
Hello,
My team is building and maintaining a fairly complex software stack that is
being packaged via rpm. As part of the requirements, the service provided by
the .rpm file must be stopped prior to installation / update of the package.
Is
jha...@gmail.com
On Tue, Oct 25, 2016 at 7:23 PM,
wrote:
> Welcome to the "kernel" mailing list!
>
> To post to this list, send your email to:
>
> kernel@lists.fedoraproject.org
>
> You can make such adjustments via email by sending a message to:
>
>
On 10/25/2016 10:53 AM, Paul Bolle wrote:
On Tue, 2016-10-25 at 10:46 -0700, Laura Abbott wrote:
Anyone have experiences with or opinions about the kernel
configuration generation? The goal is to only change the way
the configurations are generated and not the options that are
enabled.
Naive
On Tue, 2016-10-25 at 16:26 -0400, Jarod Wilson wrote:
> Should be a simple enough thing to script even,
> to get a "stale config options" report, the output of which could be fed
> to a find command that removes them from the configs/ tree...
Something like scripts/check-configs.pl?
Paul Bolle
On Tue, Oct 25, 2016 at 04:17:25PM -0400, John W. Linville wrote:
> On Tue, 2016-10-25 at 15:59 -0400, Jarod Wilson wrote:
> > On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote:
> > >
> > > On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote:
> > > >
> > > > The Fedora kernel
On Tue, 2016-10-25 at 15:59 -0400, Jarod Wilson wrote:
> On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote:
> >
> > On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote:
> > >
> > > The Fedora kernel has had roughly the same system for generating
> > > the kernel configuration
On Tue, Oct 25, 2016 at 02:14:08PM -0400, Don Zickus wrote:
> On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote:
> > The Fedora kernel has had roughly the same system for generating
> > the kernel configuration for a very long time. There are a series
> > of files listing configuration
On Tue, Oct 25, 2016 at 10:46:00AM -0700, Laura Abbott wrote:
> The Fedora kernel has had roughly the same system for generating
> the kernel configuration for a very long time. There are a series
> of files listing configuration choices (CONFIG_FOO=y, CONFIG_FOO
> is not set etc.) that get
On Tue, 2016-10-25 at 10:46 -0700, Laura Abbott wrote:
> Anyone have experiences with or opinions about the kernel
> configuration generation? The goal is to only change the way
> the configurations are generated and not the options that are
> enabled.
Naive question: why can't we use one .config
The Fedora kernel has had roughly the same system for generating
the kernel configuration for a very long time. There are a series
of files listing configuration choices (CONFIG_FOO=y, CONFIG_FOO
is not set etc.) that get combined to generate the final config
files. This has gotten unsustainable
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.
Signed-off-by: Josh Boyer
---
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
allows for a third party signing certificate to be used in conjunction
with signed modules. By importing the public certificate into the 'db'
variable, a
This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules
and if the module's certificate is found, it will refuse to load. This is
useful in cases where third party certificates are used for module
From: Kyle McMartin
Bugzilla: N/A
Upstream-status: Fedora mustard
---
arch/x86/kernel/setup.c | 36
drivers/input/misc/uinput.c | 1 +
drivers/tty/sysrq.c | 19 +--
include/linux/input.h | 5 +
From: Dave Howells
X.509 certificates are loaded into the specified keyring as asymmetric type
keys.
[labb...@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
Signed-off-by: David Howells
---
crypto/asymmetric_keys/Kconfig | 8 +++
From: Matthew Garrett
Writing to MSRs should not be allowed if module loading is restricted,
since it could lead to execution of arbitrary code in kernel mode. Based
on a patch by Kees Cook.
Cc: Kees Cook
Signed-off-by: Matthew Garrett
From: Dave Howells
Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification.
Bugzilla: N/A
Upstream-status: Fedora mustard for now
Signed-off-by: David Howells
---
include/linux/efi.h | 17
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it in
a secure modules environment.
Signed-off-by: Josh Boyer
---
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
for use with efi_enabled.
Signed-off-by: Josh Boyer
---
arch/x86/kernel/setup.c | 2 ++
include/linux/efi.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/arch/x86/kernel/setup.c
A user can manually tell the shim boot loader to disable validation of
images it loads. When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set. Given that the
user explicitly disabled validation, we can honor that and not enable
secure
From: Matthew Garrett
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that enforces this
Add the definitions for shim and image security database, both of which
are used widely in various Linux distros.
Signed-off-by: Josh Boyer
---
include/linux/efi.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if any such restrictions have been enabled.
Signed-off-by: Matthew Garrett
From: Matthew Garrett
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that module signing enforcement is meant to prevent. It makes
sense to disable kexec in this situation.
Signed-off-by: Matthew Garrett
From: Matthew Garrett
We have no way of validating what all of the Asus WMI methods do on a
given machine, and there's a risk that some will allow hardware state to
be manipulated in such a way that arbitrary code can be executed in the
kernel, circumventing module
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down from
userspace in order to avoid it being possible for an attacker to modify
kernel code, allowing them to circumvent disabled module loading or module
signing. Default to
From: Matthew Garrett
Provide a single call to allow kernel code to determine whether the system
has been configured to either disable module loading entirely or to load
only modules signed with a trusted key.
Bugzilla: N/A
Upstream-status: Fedora mustard. Replaced
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO register
space. This would potentially permit root to trigger arbitrary DMA, so lock
it down by default.
The upstream 0-day bot found an issue with the existing patchset in the
rawhide kernel. Everything builds fine as a whole, but if one were to
bisect the patches, a build would break because the shim GUID is used
in a patch before it is actually defined.
Fix this by inserting a patch in the
30 matches
Mail list logo