On Sun, 2012-11-04 at 13:52 +, Matthew Garrett wrote:
On Sun, Nov 04, 2012 at 09:14:47AM +, James Bottomley wrote:
I've actually had more than enough experience with automated installs
over my career: they're either done by paying someone or using a
provisioning system. In either
On Mon, Nov 05, 2012 at 09:12:01AM +, Corentin Chary wrote:
On Sun, Nov 4, 2012 at 7:37 PM, Alan Cox a...@lxorguk.ukuu.org.uk wrote:
Acked-by: Corentin Chary corentin.ch...@gmail.com
This is totally bogus and prevents users build a kernel which can work in
either mode. As such its a
On Mon, 2012-11-05 at 11:30 +0100, Greg KH wrote:
Odds are, the windows driver just isn't even loaded on the newer
machines, as ACPI works just fine for this. But, we don't have the
option of shipping custom systems for different laptops like Samsung
does, so we have to probe for this
There is the 'efi_enabled' variable, but it doesn't strictly mean
this_is_a_uefi_system(), it actually means Do we have EFI runtime
services?. The whole thing is a bit of a mess and I'm planning on
cleaning it up this week.
As far as I can understand it we should be reserving those areas on
On Sun, 2012-11-04 at 17:44 +, Corentin Chary wrote:
On Sun, Nov 4, 2012 at 5:35 PM, Matt Fleming m...@console-pimps.org wrote:
From: Matt Fleming matt.flem...@intel.com
We've started getting reports of users seeing Machine Check Exceptions
when booting their Samsung laptops in UEFI
On Mon, 5 Nov 2012 12:38:58 +
Matthew Garrett mj...@srcf.ucam.org wrote:
On Sun, Nov 04, 2012 at 11:24:17PM -0800, Eric W. Biederman wrote:
H. Peter Anvin h...@zytor.com writes:
That is a hugely different thing from needing a console.
Not at all.
In the general case user
On Sun, 4 Nov 2012, Eric W. Biederman wrote:
Why is when kernel has been securely booted, the in-kernel kexec
mechanism has to verify the signature of the supplied image before
kexecing it not enough? (basically the same thing we are doing for signed
modules already).
For modules
Header length should be validated for all ACPI tables before accessing
any non-header field.
The valid flags should also be check, as with it clear there's no point
in trying to go through the rest of the code (and there's no guarantee
that the other table contents are valid/consistent in that
On Mon, 5 Nov 2012, Jiri Kosina wrote:
Do I understand you correctly that by the 'glue' stuff you actually mean
the division of the kexec image into segments?
Of course, when we are dividing the image into segments and then passing
those individually (even more so if some transformations
... when CONFIG_FIRMWARE_SIG is set.
Signed-off-by: Takashi Iwai ti...@suse.de
---
Makefile| 6 ++
scripts/Makefile.fwinst | 18 --
2 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index a1ccf22..c6d7a3e 100644
---
At Mon, 05 Nov 2012 18:18:24 +0100,
Takashi Iwai wrote:
Hi,
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack using the existing
On Mon, Nov 05, 2012 at 10:37:52AM -0800, Josh Triplett wrote:
On Mon, Nov 05, 2012 at 03:26:41PM +, Jan Beulich wrote:
Header length should be validated for all ACPI tables before accessing
any non-header field.
The valid flags should also be check, as with it clear there's no point
On Mon, Nov 5, 2012 at 12:18 PM, Takashi Iwai ti...@suse.de wrote:
Hi,
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack using the
* James Bottomley:
Right, but what I'm telling you is that by deciding to allow automatic
first boot, you're causing the windows attack vector problem. You could
easily do a present user test only on first boot which would eliminate
it.
Apparently, the warning will look like this:
Takashi Iwai ti...@suse.de wrote:
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack using the existing module signing mechanism,
thus
David Howells dhowe...@redhat.com wrote:
Takashi Iwai ti...@suse.de wrote:
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just a quick hack
On Tue, Nov 6, 2012 at 1:18 AM, Takashi Iwai ti...@suse.de wrote:
To be noted, it doesn't support the firmwares via udev but only the
direct loading, and the check for built-in firmware is missing, too.
Generally, both direct loading and udev may request one same firmware
image. And after
Matthew Garrett mj...@srcf.ucam.org writes:
On Mon, Nov 05, 2012 at 11:16:12AM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
No, in the general case the system will do that once it fails to find a
bootable OS on the drive.
In the general case there will be
On Mon, Nov 05, 2012 at 06:46:32PM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
On Mon, Nov 05, 2012 at 11:16:12AM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
No, in the general case the system will do that once it fails to
Matthew Garrett mj...@srcf.ucam.org writes:
On Mon, Nov 05, 2012 at 06:46:32PM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
On Mon, Nov 05, 2012 at 11:16:12AM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
No, in the general
On Mon, Nov 05, 2012 at 07:36:32PM -0800, Eric W. Biederman wrote:
For automated installs you don't have to satisfy me. Feel free to
deliver a lousy solution to your users. Just don't use your arbitrary
design decisions to justify your kernel patches.
My kernel patches are justified by
On Mon, Nov 05, 2012 at 09:19:46PM -0800, Eric W. Biederman wrote:
Matthew Garrett mj...@srcf.ucam.org writes:
On Mon, Nov 05, 2012 at 07:36:32PM -0800, Eric W. Biederman wrote:
For automated installs you don't have to satisfy me. Feel free to
deliver a lousy solution to your users.
2012/11/6 Ming Lei tom.leim...@gmail.com:
On Tue, Nov 6, 2012 at 1:18 AM, Takashi Iwai ti...@suse.de wrote:
To be noted, it doesn't support the firmwares via udev but only the
direct loading, and the check for built-in firmware is missing, too.
Generally, both direct loading and udev may
At Tue, 06 Nov 2012 00:01:52 +,
David Howells wrote:
Takashi Iwai ti...@suse.de wrote:
this is a patch series to add the support for firmware signature
check. At this time, the kernel checks extra signature file (*.sig)
for each firmware, instead of embedded signature.
It's just
At Tue, 6 Nov 2012 15:16:43 +0800,
Ming Lei wrote:
On Tue, Nov 6, 2012 at 3:03 PM, Takashi Iwai ti...@suse.de wrote:
Yeah, it's just uncovered in the patch. As a easy solution, apply the
patch like below to disallow the udev fw loading when signature check
is enforced.
thanks,
25 matches
Mail list logo