Re: [GIT PULL] Kernel lockdown for secure boot

2017-10-26 Thread James Morris
On Thu, 26 Oct 2017, David Howells wrote: > Hi James, > > Can you pull this patchset into security/next please? > > It adds kernel lockdown support for EFI secure boot. Note that it doesn't yet > cover: > > bpf - No agreement as to how > ftrace - Recently suggested, query

Re: [PATCH v3 4/5] efi: call get_event_log before ExitBootServices

2017-10-26 Thread Jarkko Sakkinen
On Tue, Oct 17, 2017 at 10:00:15AM +0200, Thiebaud Weksteen wrote: > This patch was mainly developed and tested on Kabylake with PTT as well. > > It could be a few things. Are you booting with the EFI stub? Is the > TPM enabled within the BIOS? Does tpm_tis get loaded? Does it produce > any log?

Re: [GIT PULL] Kernel lockdown for secure boot

2017-10-26 Thread Mimi Zohar
On Thu, 2017-10-26 at 17:37 +0100, David Howells wrote: > Hi James, > > Can you pull this patchset into security/next please? > > It adds kernel lockdown support for EFI secure boot. Note that it doesn't yet > cover: > > bpf - No agreement as to how > ftrace - Recently

[GIT PULL] Kernel lockdown for secure boot

2017-10-26 Thread David Howells
essed. .P Use of debugfs is not permitted as this allows a whole range of actions including direct configuration of, access to and driving of hardware. .RE .\"""""""""""""""""""

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

2017-10-26 Thread Mimi Zohar
[Cc'ing Matthew Garrett] On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote: > joeyli wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > + !is_ima_appraise_enabled() && > > + kernel_is_locked_down("kexec of unsigned images")) > > This doesn't seem

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

2017-10-26 Thread David Howells
joeyli wrote: > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > + !is_ima_appraise_enabled() && > + kernel_is_locked_down("kexec of unsigned images")) This doesn't seem right. It seems that you can then kexec unsigned images into a locked-down kernel if IMA

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

2017-10-26 Thread David Howells
Mimi Zohar wrote: > The patch title and description needs to be updated to refer to > lockdown, not securelevel. Fixed, thanks. > An additional patch could force these rules to be added to the custom > policy, if lockdown is enabled. I'll have a look at your patch,

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

2017-10-26 Thread Mimi Zohar
On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote: > Hi Mimi, > > Thank you for reviewing. > > On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > > From: Chun-Yi Lee > > > > > > When

Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set

2017-10-26 Thread joeyli
Hi Mimi, Thank you for reviewing. On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote: > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote: > > From: Chun-Yi Lee > > > > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image > > through