Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-12 Thread Mimi Zohar
On Wed, 2018-04-11 at 16:09 -0400, Mimi Zohar wrote: > On Wed, 2018-04-11 at 14:00 -0500, Eric W. Biederman wrote: > > David Howells writes: > > > > > From: Matthew Garrett > > > > > > The kexec_load() syscall permits the loading and execution of

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-12 Thread Mimi Zohar
On Wed, 2018-04-11 at 16:09 -0400, Mimi Zohar wrote: > On Wed, 2018-04-11 at 14:00 -0500, Eric W. Biederman wrote: > > David Howells writes: > > > > > From: Matthew Garrett > > > > > > The kexec_load() syscall permits the loading and execution of arbitrary > > > code in ring 0, which is

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread Mimi Zohar
On Wed, 2018-04-11 at 14:00 -0500, Eric W. Biederman wrote: > David Howells writes: > > > From: Matthew Garrett > > > > The kexec_load() syscall permits the loading and execution of arbitrary > > code in ring 0, which is something that lock-down is

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread Mimi Zohar
On Wed, 2018-04-11 at 14:00 -0500, Eric W. Biederman wrote: > David Howells writes: > > > From: Matthew Garrett > > > > The kexec_load() syscall permits the loading and execution of arbitrary > > code in ring 0, which is something that lock-down is meant to prevent. It > > makes sense to

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread David Howells
Eric W. Biederman wrote: > Maybing I am missing it but I am not seeing anything that would require > kexec_file_load be configured such that it checks the loaded kernel. > > Without that I don't see the point of disabling kexec_load. I meant to remove this patch too.

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread David Howells
Eric W. Biederman wrote: > Maybing I am missing it but I am not seeing anything that would require > kexec_file_load be configured such that it checks the loaded kernel. > > Without that I don't see the point of disabling kexec_load. I meant to remove this patch too. David

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread Eric W. Biederman
David Howells writes: > From: Matthew Garrett > > The kexec_load() syscall permits the loading and execution of arbitrary > code in ring 0, which is something that lock-down is meant to prevent. It > makes sense to disable kexec_load() in this

Re: [PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down

2018-04-11 Thread Eric W. Biederman
David Howells writes: > From: Matthew Garrett > > The kexec_load() syscall permits the loading and execution of arbitrary > code in ring 0, which is something that lock-down is meant to prevent. It > makes sense to disable kexec_load() in this situation. > > This does not affect