diff for duplicates of <1510193857.4484.95.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 0ff7bd4..ab9bb1b 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -27,12 +27,12 @@ > request_firmware_signable(), which should be used in place of (a) > for all verification-aware drivers, that would be fine. -I really don't understand why you need a new function. The +I really don't understand why you need a new function.??The request_firmware() eventually calls kernel_read_file_from_path(), which already calls the pre and post LSM hooks. IMA-appraisal is already on these hooks verifying the requested -firmware's signature. For systems with "lockdown" enabled, but +firmware's signature. ?For systems with "lockdown" enabled, but without IMA-appraisal enabled, define a small, builtin LSM that sits on these LSM hooks and denies the unsigned firmware requests. @@ -45,3 +45,8 @@ Mimi > features of request_firmware variants like _(no)wait or _direct. > > -Takahiro AKASHI + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index af74249..c4f8fe9 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -6,24 +6,10 @@ "ref\020171108061551.GD7859@linaro.org\0" "ref\020171108194626.GQ22894@wotan.suse.de\0" "ref\020171109014841.GF7859@linaro.org\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" "Date\0Wed, 08 Nov 2017 21:17:37 -0500\0" - "To\0AKASHI" - Takahiro <takahiro.akashi@linaro.org> - " Luis R. Rodriguez <mcgrof@kernel.org>\0" - "Cc\0Greg Kroah-Hartman <gregkh@linuxfoundation.org>" - Linus Torvalds <torvalds@linux-foundation.org> - Jan Blunck <jblunck@infradead.org> - Julia Lawall <julia.lawall@lip6.fr> - David Howells <dhowells@redhat.com> - Marcus Meissner <meissner@suse.de> - Gary Lin <GLin@suse.com> - linux-security-module@vger.kernel.org - gnomes@lxorguk.ukuu.org.uk - linux-efi <linux-efi@vger.kernel.org> - linux-kernel@vger.kernel.org - " Matthew Garrett <mjg59@google.com>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "> > IMHO that should just fail then, ie, a \"locked down\" kernel should not want to\n" @@ -55,12 +41,12 @@ "> request_firmware_signable(), which should be used in place of (a)\n" "> for all verification-aware drivers, that would be fine.\n" "\n" - "I really don't understand why you need a new function.\302\240\302\240The\n" + "I really don't understand why you need a new function.??The\n" "request_firmware() eventually calls kernel_read_file_from_path(),\n" "which already calls the pre and post LSM hooks.\n" "\n" "IMA-appraisal is already on these hooks verifying the requested\n" - "firmware's signature. \302\240For systems with \"lockdown\" enabled, but\n" + "firmware's signature. ?For systems with \"lockdown\" enabled, but\n" "without IMA-appraisal enabled, define a small, builtin LSM that sits\n" "on these LSM hooks and denies the unsigned firmware requests.\n" "\n" @@ -72,6 +58,11 @@ "> But I think that \"signable\" should be allowed to be combined with other\n" "> features of request_firmware variants like _(no)wait or _direct.\n" "> \n" - > -Takahiro AKASHI + "> -Takahiro AKASHI\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -87ead2888aa322634552d0323cceb3436a671b7d3e183e9deb2611963e9baa69 +9a8cddef165d809fa23813073b0035feff340d1a58cf4911b1c27a411894ee2e
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.