the hibernation image on the machine itself
which, well, doesn't sound secure either).
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
-crafted image, reboot, let the kernel resume
from that artificial image.
It can be viewed as a very obscure way of rewriting the kernel through
/dev/mem (which is obviously not possible when in 'secure boot'
environment).
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send
this
easy handling is happening, I'd appreciate it.
Thanks,
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, 5 Nov 2012, Jiri Kosina wrote:
Do I understand you correctly that by the 'glue' stuff you actually mean
the division of the kexec image into segments?
Of course, when we are dividing the image into segments and then passing
those individually (even more so if some transformations
it being *created* before
the machine is ever touched by Linux?
Thanks,
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
reason to export this symbol?
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
environment, in order to obtain more accurate information.
And it's a valid thing to do, according to UEFI specification.
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info
of testing this. But the
patches are not ready for mainline yet.
(*) If one would be naive enough, he'd believe that the pressure should be
put on the BIOS writers instead of OS to fix the bug :)
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi
kexec,
I'd be careful in order not to underestimate how much kexec is being used.
[At least some] distros are using it during installation process.
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
? Windows don't work on those older Macs as well, do they?
So if we properly detect those (and only those), we mimic Windows
completely, right?
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More
to the symmetric key
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line unsubscribe linux-efi in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
of rushing
things and break booting 4.1 on boxes left and right, we will be very
strict and conservative and will take our time with this to fix and test
it properly.
Signed-off-by: Borislav Petkov b...@suse.de
Cc: Jiri Kosina jkos...@suse.cz
Agreed. Let's work on a better refresh for 4.1
...@zytor.com
Cc: Matt Fleming matt.flem...@intel.com
Cc: Kees Cook keesc...@chromium.org
Cc: Thomas Gleixner t...@linutronix.de
Cc: Jiri Kosina jkos...@suse.cz
Cc: linux-efi@vger.kernel.org
Cc: Ingo Molnar mi...@redhat.com
Cc: Baoquan He b...@redhat.com
Fixes: f47233c2d34f (x86/mm/ASLR
On Sat, 15 Aug 2015, Pavel Machek wrote:
For forwarding hibernation key from EFI stub to boot kernel, this patch
allocates setup data for carrying hibernation key, size and the status
of efi operating.
Reviewed-by: Jiri Kosina jkos...@suse.com
Jiri, are you sure you reviewed
> Swap encryption is not mandatory and I'm not sure how the hibernate
> > code can verify whether or not it is in use.
>
> BTW, SUSE has patches adding secure boot support to the hibernate code
> and Jiri promised me to post them last year even. :-)
Oh, thanks for a friendly ping :)
cation that the code
you're running in ring0 can be trusted (IOW is the one that has been
signed and verified by the whole boot chain).
Checking execution patterns doesn't seem to fit at all.
Thanks,
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linu
... and even if that happens, locking down only that particular feature of
ftrace would be needed.
Thanks,
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
to fit at all.
>
> I'll defer this question to Alexei since he suggested I needed to deal
> with this too.
Thanks.
--
Jiri Kosina
SUSE Labs
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Jiri Kosina <jkos...@suse.cz>
old_memmap's efi_call_phys_prolog() calls set_pgd() with swapper PGD that
has PAGE_USER set, which makes PTI set NX on it, and therefore EFI can't
execute it's code.
Fix that by forcefully clearing _PAGE_NX from the PGD (this can't be done
by the pgpr
19 matches
Mail list logo
