One Thousand Gnomes gnomes@... writes:
Trusted is rather misleading. It's not trusted, it's *measured*.
It's the same bits you had when you made it, and when you booted it
before. Whether you trust them is a different and quite unrelated
question. You may have reasons to do either.
I
On Wed, Feb 26, 2014 at 3:11 PM, Matthew Garrett
matthew.garr...@nebula.com wrote:
The conclusion we came to at Plumbers was that this patchset was basically
fine but that Linus hated the name securelevel more than I hate pickled
herring, so after thinking about this for a few months I've come
On Wed, Feb 26, 2014 at 2:48 PM, Matthew Garrett
matthew.garr...@nebula.com wrote:
On Wed, 2014-02-26 at 22:41 +, One Thousand Gnomes wrote:
Another issue that needs addressing is firmware. Quite a few of our
request_firmware cases load device firmware which is not signed into DMA
capable
On Thu, Feb 27, 2014 at 01:04:34PM -0500, Josh Boyer wrote:
On Wed, Feb 26, 2014 at 3:11 PM, Matthew Garrett
matthew.garr...@nebula.com wrote:
The conclusion we came to at Plumbers was that this patchset was basically
fine but that Linus hated the name securelevel more than I hate pickled
On Thu, Feb 27, 2014 at 2:07 PM, Greg KH gre...@linuxfoundation.org wrote:
On Thu, Feb 27, 2014 at 01:04:34PM -0500, Josh Boyer wrote:
On Wed, Feb 26, 2014 at 3:11 PM, Matthew Garrett
matthew.garr...@nebula.com wrote:
The conclusion we came to at Plumbers was that this patchset was basically
From: Matt Fleming matt.flem...@intel.com
Instead of littering main() with #ifdef CONFIG_EFI_STUB, move the logic
into separate functions that do nothing if the config option isn't set.
This makes main() much easier to read.
Acked-by: Borislav Petkov b...@suse.de
Signed-off-by: Matt Fleming
From: Matt Fleming matt.flem...@intel.com
Instead of littering main() with #ifdef CONFIG_EFI_STUB, move the logic
into separate functions that do nothing if the config option isn't set.
This makes main() much easier to read.
Acked-by: Borislav Petkov b...@suse.de
Signed-off-by: Matt Fleming
From: Matt Fleming matt.flem...@intel.com
It's not possible to dereference the EFI System table directly when
booting a 64-bit kernel on a 32-bit EFI firmware because the size of
pointers don't match.
In preparation for supporting the above use case, build a list of
function pointers on boot so
From: Matt Fleming matt.flem...@intel.com
Now that we have EFI-specific page tables we need to lookup the pgd when
dumping those page tables, rather than assuming that swapper_pgdir is
the current pgdir.
Remove the double underscore prefix, which is usually reserved for
static functions.
From: Matt Fleming matt.flem...@intel.com
Some EFI firmware makes use of the FPU during boottime services and
clearing X86_CR4_OSFXSR by overwriting %cr4 causes the firmware to
crash.
Add the PAE bit explicitly instead of trashing the existing contents,
leaving the rest of the bits as the
From: Matt Fleming matt.flem...@intel.com
The EFI handover code only works if the bitness of the firmware and
the kernel match, i.e. 64-bit firmware and 64-bit kernel - it is not
possible to mix the two. This goes against the tradition that a 32-bit
kernel can be loaded on a 64-bit BIOS platform
On Fri, 2014-02-28 at 14:03 +1100, James Morris wrote:
Ok, which tree should take this? I'm happy to, although most of it is
outside security/ .
Security might make the most sense - I don't think any of the additional
restrictions (beyond kexec, and I think we've hashed that argument out
12 matches
Mail list logo