On Thu, 26 Oct 2017, David Howells wrote:
> Hi James,
>
> Can you pull this patchset into security/next please?
>
> It adds kernel lockdown support for EFI secure boot. Note that it doesn't yet
> cover:
>
> bpf - No agreement as to how
> ftrace - Recently suggested, query
On Tue, Oct 17, 2017 at 10:00:15AM +0200, Thiebaud Weksteen wrote:
> This patch was mainly developed and tested on Kabylake with PTT as well.
>
> It could be a few things. Are you booting with the EFI stub? Is the
> TPM enabled within the BIOS? Does tpm_tis get loaded? Does it produce
> any log?
On Thu, 2017-10-26 at 17:37 +0100, David Howells wrote:
> Hi James,
>
> Can you pull this patchset into security/next please?
>
> It adds kernel lockdown support for EFI secure boot. Note that it doesn't yet
> cover:
>
> bpf - No agreement as to how
> ftrace - Recently
essed.
.P
Use of debugfs is not permitted as this allows a whole range of actions
including direct configuration of, access to and driving of hardware.
.RE
.\"""""""""""""""""""
[Cc'ing Matthew Garrett]
On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote:
> joeyli wrote:
>
> > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
> > + !is_ima_appraise_enabled() &&
> > + kernel_is_locked_down("kexec of unsigned images"))
>
> This doesn't seem
joeyli wrote:
> + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&
> + !is_ima_appraise_enabled() &&
> + kernel_is_locked_down("kexec of unsigned images"))
This doesn't seem right. It seems that you can then kexec unsigned images
into a locked-down kernel if IMA
Mimi Zohar wrote:
> The patch title and description needs to be updated to refer to
> lockdown, not securelevel.
Fixed, thanks.
> An additional patch could force these rules to be added to the custom
> policy, if lockdown is enabled.
I'll have a look at your patch,
On Thu, 2017-10-26 at 15:42 +0800, joeyli wrote:
> Hi Mimi,
>
> Thank you for reviewing.
>
> On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> > On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > > From: Chun-Yi Lee
> > >
> > > When
Hi Mimi,
Thank you for reviewing.
On Mon, Oct 23, 2017 at 11:54:43AM -0400, Mimi Zohar wrote:
> On Thu, 2017-10-19 at 15:51 +0100, David Howells wrote:
> > From: Chun-Yi Lee
> >
> > When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
> > through