On Fri, Jun 17, 2022 at 07:58:37AM -0400, Mimi Zohar wrote:
On Fri, 2022-06-17 at 11:57 +0800, Coiby Xu wrote:
>Thanks for explaining IMA to me! There is still the question of what's
>the root of trust for .builtin_trusted_keys when there is no real
>signature verification. For example, when
On Thu, 2022-06-16 at 09:21 +0800, Coiby Xu wrote:
> Hi Mimi,
>
> On Thu, Jun 09, 2022 at 11:35:13AM -0400, Mimi Zohar wrote:
> >Hi Coiby,
> >
> >On Fri, 2022-05-27 at 21:43 +0800, Coiby Xu wrote:
> >> It seems I need to only change cover letter and commit message i.e.
> >> there is no concern
On Fri, 2022-06-17 at 11:57 +0800, Coiby Xu wrote:
> >Thanks for explaining IMA to me! There is still the question of what's
> >the root of trust for .builtin_trusted_keys when there is no real
> >signature verification. For example, when CONFIG_KEXEC_SIG is enabled,
> >the default IMA policy is
On Thu, Jun 16, 2022 at 09:15:06AM +0800, Coiby Xu wrote:
Hi Mimi,
Thanks for carefully reviewing the covert letter and patches and
suggesting various improvements! And sorry for the late reply as I need
some time to learn more about secure boot, lockdown and IMA to better
make sense of what
Hi Mimi,
On Thu, Jun 09, 2022 at 11:35:13AM -0400, Mimi Zohar wrote:
Hi Coiby,
On Fri, 2022-05-27 at 21:43 +0800, Coiby Xu wrote:
It seems I need to only change cover letter and commit message i.e.
there is no concern about the code. So it's better to provide a
new cover letter here to
Hi Mimi,
Thanks for carefully reviewing the covert letter and patches and
suggesting various improvements! And sorry for the late reply as I need
some time to learn more about secure boot, lockdown and IMA to better
make sense of what you mean.
On Fri, May 27, 2022 at 12:45:54PM -0400, Mimi
Hi Coiby,
On Fri, 2022-05-27 at 21:43 +0800, Coiby Xu wrote:
> It seems I need to only change cover letter and commit message i.e.
> there is no concern about the code. So it's better to provide a
> new cover letter here to collect new feedback from you thus we
> can avoid unnecessary rounds of
On Fri, 2022-05-27 at 21:43 +0800, Coiby Xu wrote:
> Hi Mini,
Hi Coiby,
> new cover letter here to collect new feedback from you thus we
> can avoid unnecessary rounds of patch set.
Agreed. Much better. Just a couple of nits.
> Currently when loading a kernel image via the
Hi Mini,
It seems I need to only change cover letter and commit message i.e.
there is no concern about the code. So it's better to provide a
new cover letter here to collect new feedback from you thus we
can avoid unnecessary rounds of patch set.
Currently when loading a kernel image via the
On Wed, 2022-05-25 at 17:59 +0800, Coiby Xu wrote:
> Hi Mimi,
>
> On Fri, May 20, 2022 at 01:04:47PM -0400, Mimi Zohar wrote:
> >Hi Coiby,
> >
> >On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote:
> >
> >The cover letter should start out with an overall problem description
> >and then continue
Hi Mimi,
On Fri, May 20, 2022 at 01:04:47PM -0400, Mimi Zohar wrote:
Hi Coiby,
On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote:
The cover letter should start out with an overall problem description
and then continue with the specifics. In this case each of the arch's
use different keyrings
Hi Coiby,
On Thu, 2022-05-12 at 15:01 +0800, Coiby Xu wrote:
The cover letter should start out with an overall problem description
and then continue with the specifics. In this case each of the arch's
use different keyrings to validate the kexec kernel image signature. I
would continue with
Currently, a problem faced by arm64 is if a kernel image is signed by a
MOK key, loading it via the kexec_file_load() system call would be
rejected with the error "Lockdown: kexec: kexec of unsigned images is
restricted; see man kernel_lockdown.7". This happens because arm64 uses
only the primary
13 matches
Mail list logo