diff for duplicates of <1509032805.5886.52.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 1e1d77f..52d7f37 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,7 +1,7 @@ [Cc'ing Matthew Garrett] On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote: -> joeyli <jlee-IBi9RG/b67k@public.gmane.org> wrote: +> joeyli <jlee@suse.com> wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > + !is_ima_appraise_enabled() && @@ -10,12 +10,12 @@ On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote: > This doesn't seem right. It seems that you can then kexec unsigned images > into a locked-down kernel if IMA appraise is enabled. -Huh?! With the "secure_boot" policy enabled on the boot command line, +Huh?! ?With the "secure_boot" policy enabled on the boot command line, IMA-appraisal would verify the kexec kernel image, firmware, kernel -modules, and custom IMA policy signatures. With the "ima: require +modules, and custom IMA policy signatures. ?With the "ima: require secure_boot rules in lockdown mode" patch, the "lockdown" mode would enable IMA-appraisal's secure_boot policy, without requiring the boot -command line option. It would also add the secure_boot rules to the +command line option. ?It would also add the secure_boot rules to the custom policy, so that if the builtin policy is replaced with a custom policy, the "secure_boot" policy would still be enforced. @@ -23,3 +23,8 @@ Other patches in this patch series need to be updated as well to check if IMA-appraisal is enabled. Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 6fc682e..f0e1f2c 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -3,25 +3,16 @@ "ref\0150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk\0" "ref\01508774083.3639.124.camel@linux.vnet.ibm.com\0" "ref\026694.1509030144@warthog.procyon.org.uk\0" - "ref\026694.1509030144-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org\0" - "From\0Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" - "Subject\0Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set\0" "Date\0Thu, 26 Oct 2017 11:46:45 -0400\0" - "To\0David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>" - " joeyli <jlee-IBi9RG/b67k@public.gmane.org>\0" - "Cc\0linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" - gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org - linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - jforbes-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org - " Matthew Garrett <mjg59-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "[Cc'ing Matthew Garrett]\n" "\n" "On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote:\n" - "> joeyli <jlee-IBi9RG/b67k@public.gmane.org> wrote:\n" + "> joeyli <jlee@suse.com> wrote:\n" "> \n" "> > +\tif (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&\n" "> > +\t !is_ima_appraise_enabled() &&\n" @@ -30,18 +21,23 @@ "> This doesn't seem right. It seems that you can then kexec unsigned images\n" "> into a locked-down kernel if IMA appraise is enabled.\n" "\n" - "Huh?! \302\240With the \"secure_boot\" policy enabled on the boot command line,\n" + "Huh?! ?With the \"secure_boot\" policy enabled on the boot command line,\n" "IMA-appraisal would verify the kexec kernel image, firmware, kernel\n" - "modules, and custom IMA policy signatures. \302\240With the \"ima: require\n" + "modules, and custom IMA policy signatures. ?With the \"ima: require\n" "secure_boot rules in lockdown mode\" patch, the \"lockdown\" mode would\n" "enable IMA-appraisal's secure_boot policy, without requiring the boot\n" - "command line option. \302\240It would also add the secure_boot rules to the\n" + "command line option. ?It would also add the secure_boot rules to the\n" "custom policy, so that if the builtin policy is replaced with a custom\n" "policy, the \"secure_boot\" policy would still be enforced.\n" "\n" "Other patches in this patch series need to be updated as well to check\n" "if IMA-appraisal is enabled.\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -f951f68a10b269b9f9f953937c85ad0d207bce70eff7fa2b85e9f97850c08782 +7a1e72ec137a3ea56349b650c4d5c4a33f479e55355c2d70c0ce880589d91dd7
diff --git a/a/1.txt b/N2/1.txt index 1e1d77f..df215ca 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,7 +1,7 @@ [Cc'ing Matthew Garrett] On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote: -> joeyli <jlee-IBi9RG/b67k@public.gmane.org> wrote: +> joeyli <jlee@suse.com> wrote: > > > + if (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) && > > + !is_ima_appraise_enabled() && diff --git a/a/content_digest b/N2/content_digest index 6fc682e..411e8d7 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -3,25 +3,24 @@ "ref\0150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk\0" "ref\01508774083.3639.124.camel@linux.vnet.ibm.com\0" "ref\026694.1509030144@warthog.procyon.org.uk\0" - "ref\026694.1509030144-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org\0" - "From\0Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>\0" + "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set\0" "Date\0Thu, 26 Oct 2017 11:46:45 -0400\0" - "To\0David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>" - " joeyli <jlee-IBi9RG/b67k@public.gmane.org>\0" - "Cc\0linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" - gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org - linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org - linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org - jforbes-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org - " Matthew Garrett <mjg59-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\0" + "To\0David Howells <dhowells@redhat.com>" + " joeyli <jlee@suse.com>\0" + "Cc\0linux-security-module@vger.kernel.org" + gnomes@lxorguk.ukuu.org.uk + linux-efi@vger.kernel.org + gregkh@linuxfoundation.org + linux-kernel@vger.kernel.org + jforbes@redhat.com + " Matthew Garrett <mjg59@google.com>\0" "\00:1\0" "b\0" "[Cc'ing Matthew Garrett]\n" "\n" "On Thu, 2017-10-26 at 16:02 +0100, David Howells wrote:\n" - "> joeyli <jlee-IBi9RG/b67k@public.gmane.org> wrote:\n" + "> joeyli <jlee@suse.com> wrote:\n" "> \n" "> > +\tif (!IS_ENABLED(CONFIG_KEXEC_VERIFY_SIG) &&\n" "> > +\t !is_ima_appraise_enabled() &&\n" @@ -44,4 +43,4 @@ "\n" Mimi -f951f68a10b269b9f9f953937c85ad0d207bce70eff7fa2b85e9f97850c08782 +d34f3ca476c43ef5cb45e14f6987df523d69b2806740d937ebbc8b6ebb596d67
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.