diff for duplicates of <1491553688.4184.73.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 9a29411..085fe38 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,6 +1,6 @@ On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > On 04/07/17 at 08:07am, David Howells wrote: -> > Dave Young <dyoung@redhat.com> wrote: +> > Dave Young <dyoung-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote: > > > > > > > > + /* Don't permit images to be loaded into trusted kernels if we're not > > > > > > + * going to verify the signature on them @@ -39,9 +39,3 @@ policy requires the new policy or additional rules to be signed. broken userspace. Mimi - - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec diff --git a/a/content_digest b/N1/content_digest index 4e8be7a..c43df34 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -5,26 +5,27 @@ "ref\01491536950.4184.10.camel@linux.vnet.ibm.com\0" "ref\021418.1491548875@warthog.procyon.org.uk\0" "ref\020170407074159.GB10737@dhcp-128-65.nay.redhat.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" + "ref\020170407074159.GB10737-0VdLhd/A9Pl+NNSt+8eSiB/sF2h8X+2i0E9HWUfgJXw@public.gmane.org\0" + "From\0Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" "Subject\0Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set\0" "Date\0Fri, 07 Apr 2017 04:28:08 -0400\0" - "To\0Dave Young <dyoung@redhat.com>" - " David Howells <dhowells@redhat.com>\0" - "Cc\0Matthew Garrett <mjg59@srcf.ucam.org>" - linux-efi@vger.kernel.org - gnomes@lxorguk.ukuu.org.uk - gregkh@linuxfoundation.org - kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Chun-Yi Lee <jlee@suse.com> - linux-security-module@vger.kernel.org - keyrings@vger.kernel.org - " matthew.garrett@nebula.com\0" + "To\0Dave Young <dyoung-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>" + " David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>\0" + "Cc\0linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" + Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org> + linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org + Chun-Yi Lee <jlee-IBi9RG/b67k@public.gmane.org> + gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org + kexec-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org + linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + keyrings-u79uwXL29TY76Z2rM5mHXA@public.gmane.org + " matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org\0" "\00:1\0" "b\0" "On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:\n" "> On 04/07/17 at 08:07am, David Howells wrote:\n" - "> > Dave Young <dyoung@redhat.com> wrote:\n" + "> > Dave Young <dyoung-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:\n" "> > \n" "> > > > > > +\t/* Don't permit images to be loaded into trusted kernels if we're not\n" "> > > > > > +\t * going to verify the signature on them\n" @@ -62,12 +63,6 @@ "\302\240Unfortunately, always requiring the policy to be signed, would have\n" "broken userspace.\n" "\n" - "Mimi\n" - "\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + Mimi -03e2184834f30cbe2e9d72a164e51ef1e965eaceb16d014f37944d30ea6cc612 +0be2e4fcc8b0241c63fcc283de640b57a037975499a697bea5ae3e153dfd6863
diff --git a/a/1.txt b/N2/1.txt index 9a29411..9cd4051 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -11,7 +11,7 @@ On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote: > > > > > > > > > > > > > > IMA can be used to verify file signatures too, based on the LSM hooks -> > > > in kernel_read_file_from_fd(). CONFIG_KEXEC_VERIFY_SIG should not be +> > > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be > > > > required. > > > > > > Mimi, I remember we talked somthing before about the two signature @@ -31,17 +31,16 @@ the kexec kernel image signature, as the test would not be based on a Kconfig option, but on a runtime variable. To answer your question, the rule for requiring the policy to be -signed is: appraise func=POLICY_CHECK appraise_type=imasig +signed is: ?appraise func=POLICY_CHECK appraise_type=imasig When the ability to append rules is Kconfig enabled, the builtin policy requires the new policy or additional rules to be signed. - Unfortunately, always requiring the policy to be signed, would have +?Unfortunately, always requiring the policy to be signed, would have broken userspace. Mimi - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 4e8be7a..c7307b1 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -5,21 +5,10 @@ "ref\01491536950.4184.10.camel@linux.vnet.ibm.com\0" "ref\021418.1491548875@warthog.procyon.org.uk\0" "ref\020170407074159.GB10737@dhcp-128-65.nay.redhat.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set\0" "Date\0Fri, 07 Apr 2017 04:28:08 -0400\0" - "To\0Dave Young <dyoung@redhat.com>" - " David Howells <dhowells@redhat.com>\0" - "Cc\0Matthew Garrett <mjg59@srcf.ucam.org>" - linux-efi@vger.kernel.org - gnomes@lxorguk.ukuu.org.uk - gregkh@linuxfoundation.org - kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Chun-Yi Lee <jlee@suse.com> - linux-security-module@vger.kernel.org - keyrings@vger.kernel.org - " matthew.garrett@nebula.com\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Fri, 2017-04-07 at 15:41 +0800, Dave Young wrote:\n" @@ -35,7 +24,7 @@ "> > > > > > \n" "> > > > \n" "> > > > IMA can be used to verify file signatures too, based on the LSM hooks\n" - "> > > > in \302\240kernel_read_file_from_fd(). \302\240CONFIG_KEXEC_VERIFY_SIG should not be\n" + "> > > > in ?kernel_read_file_from_fd(). ?CONFIG_KEXEC_VERIFY_SIG should not be\n" "> > > > required.\n" "> > > \n" "> > > Mimi, I remember we talked somthing before about the two signature \n" @@ -55,19 +44,18 @@ "Kconfig option, but on a runtime variable.\n" "\n" "To answer your question, the rule for requiring the policy to be\n" - "signed is: \302\240appraise func=POLICY_CHECK appraise_type=imasig\n" + "signed is: ?appraise func=POLICY_CHECK appraise_type=imasig\n" "\n" "When the ability to append rules is Kconfig enabled, the builtin\n" "policy requires the new policy or additional rules to be signed.\n" - "\302\240Unfortunately, always requiring the policy to be signed, would have\n" + "?Unfortunately, always requiring the policy to be signed, would have\n" "broken userspace.\n" "\n" "Mimi\n" "\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -03e2184834f30cbe2e9d72a164e51ef1e965eaceb16d014f37944d30ea6cc612 +616358e26f1e219fccacd364250b2bc7f7653b2c263ff9f459c128c0200b4142
diff --git a/a/1.txt b/N3/1.txt index 9a29411..f512b0c 100644 --- a/a/1.txt +++ b/N3/1.txt @@ -39,9 +39,3 @@ policy requires the new policy or additional rules to be signed. broken userspace. Mimi - - -_______________________________________________ -kexec mailing list -kexec@lists.infradead.org -http://lists.infradead.org/mailman/listinfo/kexec diff --git a/a/content_digest b/N3/content_digest index 4e8be7a..d75b071 100644 --- a/a/content_digest +++ b/N3/content_digest @@ -10,13 +10,13 @@ "Date\0Fri, 07 Apr 2017 04:28:08 -0400\0" "To\0Dave Young <dyoung@redhat.com>" " David Howells <dhowells@redhat.com>\0" - "Cc\0Matthew Garrett <mjg59@srcf.ucam.org>" + "Cc\0linux-kernel@vger.kernel.org" + Matthew Garrett <mjg59@srcf.ucam.org> linux-efi@vger.kernel.org gnomes@lxorguk.ukuu.org.uk + Chun-Yi Lee <jlee@suse.com> gregkh@linuxfoundation.org kexec@lists.infradead.org - linux-kernel@vger.kernel.org - Chun-Yi Lee <jlee@suse.com> linux-security-module@vger.kernel.org keyrings@vger.kernel.org " matthew.garrett@nebula.com\0" @@ -62,12 +62,6 @@ "\302\240Unfortunately, always requiring the policy to be signed, would have\n" "broken userspace.\n" "\n" - "Mimi\n" - "\n" - "\n" - "_______________________________________________\n" - "kexec mailing list\n" - "kexec@lists.infradead.org\n" - http://lists.infradead.org/mailman/listinfo/kexec + Mimi -03e2184834f30cbe2e9d72a164e51ef1e965eaceb16d014f37944d30ea6cc612 +1af4ad7626697cd5dd5e4ac2fef19afc7c87b211069835ee94a350c85d1e8863
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.