Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2015-04-22 Thread Dan Carpenter
On Fri, Mar 13, 2015 at 11:38:28AM -1000, Matthew Garrett wrote: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that the kernel prevent userspace from inserting untrusted kernel > code at r

[PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2015-03-13 Thread Matthew Garrett
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that the kernel prevent userspace from inserting untrusted kernel code at runtime. Add a configuration option that enforces this automatically when

Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2014-02-27 Thread Kees Cook
On Wed, Feb 26, 2014 at 2:48 PM, Matthew Garrett wrote: > On Wed, 2014-02-26 at 22:41 +, One Thousand Gnomes wrote: >> Another issue that needs addressing is firmware. Quite a few of our >> request_firmware cases load device firmware which is not signed into DMA >> capable hardware. Probably a

Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2014-02-26 Thread Matthew Garrett
On Wed, 2014-02-26 at 22:41 +, One Thousand Gnomes wrote: > I think you have a load more cases to attempt to paper over before you > even pretend to achieve that goal. Firewire for example. Also it only > remotely begins to work if you also force CAP_SYS_RAWIO off globally as > you need to for

Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2014-02-26 Thread H. Peter Anvin
On 02/26/2014 02:41 PM, One Thousand Gnomes wrote: > On Wed, 26 Feb 2014 15:11:13 -0500 > Matthew Garrett wrote: > >> UEFI Secure Boot provides a mechanism for ensuring that the firmware will >> only load signed bootloaders and kernels. Certain use cases may also >> require that the kernel preven

Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2014-02-26 Thread One Thousand Gnomes
On Wed, 26 Feb 2014 15:11:13 -0500 Matthew Garrett wrote: > UEFI Secure Boot provides a mechanism for ensuring that the firmware will > only load signed bootloaders and kernels. Certain use cases may also > require that the kernel prevent userspace from inserting untrusted kernel > code at runtim

[PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode

2014-02-26 Thread Matthew Garrett
UEFI Secure Boot provides a mechanism for ensuring that the firmware will only load signed bootloaders and kernels. Certain use cases may also require that the kernel prevent userspace from inserting untrusted kernel code at runtime. Add a configuration option that enforces this automatically when