diff for duplicates of <1510698696.7703.21.camel@HansenPartnership.com> diff --git a/a/1.txt b/N1/1.txt index c998c83..5447f79 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,6 +1,6 @@ On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote: > On Tue, Nov 14, 2017 at 2:14 PM, James Bottomley -> <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote: +> <James.Bottomley@hansenpartnership.com> wrote: > > > > On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote: > > > @@ -13,8 +13,8 @@ On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote: > > Actually, I'd disagree with that quite a lot: measured boot only > > works if you're attesting to something outside of your system that > > has the capability for doing something about a wrong -> > measurement. Absent that, measured boot has no safety -> > whatsoever. Secure boot, on the other hand, can enforce not +> > measurement.??Absent that, measured boot has no safety +> > whatsoever.??Secure boot, on the other hand, can enforce not > > booting with elements that fail the signature check. > > Measured boot has a great deal of value in the sealing of private @@ -26,7 +26,7 @@ On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote: OK, so I agree that if you have sealed something required for boot (and have the capability for resealing it on OS upgrade) you can use -measurements locally. However, I don't believe we have any systems +measurements locally. ?However, I don't believe we have any systems today in Linux which can do this (we have theoretical ideas about how we might do it with LUKS root keys and one day we might actually have the infrastructure to make it viable for a standard laptop). @@ -35,7 +35,12 @@ Absent that, secure boot provides a reasonable measure of security which works with today's infrastructure. Note: this doesn't mean I necessarily want signatures everywhere (like -firmware). We can sign elements in blobs that provide the effective +firmware). ?We can sign elements in blobs that provide the effective security without needing more granular signatures. James + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index e68080f..e6c8000 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -12,32 +12,15 @@ "ref\0CACdnJuvzPnMwsAF4mUJXCaJWQ=nCc9Yi5u3gj1A0+BsWf1Swgw@mail.gmail.com\0" "ref\01510697658.7703.12.camel@HansenPartnership.com\0" "ref\0CACdnJuuYasij2_JAvdvof-8PRgKMSAT1NOBzHG=Vr-4MN79SNg@mail.gmail.com\0" - "ref\0CACdnJuuYasij2_JAvdvof-8PRgKMSAT1NOBzHG=Vr-4MN79SNg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org\0" - "From\0James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>\0" - "Subject\0Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" + "From\0James.Bottomley@hansenpartnership.com (James Bottomley)\0" + "Subject\0Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" "Date\0Tue, 14 Nov 2017 14:31:36 -0800\0" - "To\0Matthew Garrett <mjg59-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\0" - "Cc\0Luis R. Rodriguez <mcgrof-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>" - Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> - Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org> - Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> - Alan Cox <gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org> - AKASHI - Takahiro <takahiro.akashi-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> - Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org> - Jan Blunck <jblunck-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> - Julia Lawall <julia.lawall-L2FTfq7BK8M@public.gmane.org> - Marcus Meissner <meissner-l3A5Bk7waGM@public.gmane.org> - Gary Lin <GLin-IBi9RG/b67k@public.gmane.org> - LSM List <linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - linux-efi <linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - " Linux Kernel Mailing List <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote:\n" "> On Tue, Nov 14, 2017 at 2:14 PM, James Bottomley\n" - "> <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote:\n" + "> <James.Bottomley@hansenpartnership.com> wrote:\n" "> > \n" "> > On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote:\n" "> > > \n" @@ -50,8 +33,8 @@ "> > Actually, I'd disagree with that quite a lot: measured boot only\n" "> > works if you're attesting to something outside of your system that\n" "> > has the capability for doing something about a wrong\n" - "> > measurement.\302\240\302\240Absent that, measured boot has no safety\n" - "> > whatsoever.\302\240\302\240Secure boot, on the other hand, can enforce not\n" + "> > measurement.??Absent that, measured boot has no safety\n" + "> > whatsoever.??Secure boot, on the other hand, can enforce not\n" "> > booting with elements that fail the signature check.\n" "> \n" "> Measured boot has a great deal of value in the sealing of private\n" @@ -63,7 +46,7 @@ "\n" "OK, so I agree that if you have sealed something required for boot (and\n" "have the capability for resealing it on OS upgrade) you can use\n" - "measurements locally. \302\240However, I don't believe we have any systems\n" + "measurements locally. ?However, I don't believe we have any systems\n" "today in Linux which can do this (we have theoretical ideas about how\n" "we might do it with LUKS root keys and one day we might actually have\n" "the infrastructure to make it viable for a standard laptop).\n" @@ -72,9 +55,14 @@ "which works with today's infrastructure.\n" "\n" "Note: this doesn't mean I necessarily want signatures everywhere (like\n" - "firmware). \302\240We can sign elements in blobs that provide the effective\n" + "firmware). ?We can sign elements in blobs that provide the effective\n" "security without needing more granular signatures.\n" "\n" - James + "James\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -3d1f78782c7d607e39094872f792569f311d756490946f5a13345272d48b0505 +ba3d436ae2480d885c47f779f7f2ba4bfa76cd9342bde778cc581da1f9dffa31
diff --git a/a/1.txt b/N2/1.txt index c998c83..1c2120d 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -1,6 +1,6 @@ On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote: > On Tue, Nov 14, 2017 at 2:14 PM, James Bottomley -> <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote: +> <James.Bottomley@hansenpartnership.com> wrote: > > > > On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote: > > > diff --git a/a/content_digest b/N2/content_digest index e68080f..6bea884 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -12,32 +12,31 @@ "ref\0CACdnJuvzPnMwsAF4mUJXCaJWQ=nCc9Yi5u3gj1A0+BsWf1Swgw@mail.gmail.com\0" "ref\01510697658.7703.12.camel@HansenPartnership.com\0" "ref\0CACdnJuuYasij2_JAvdvof-8PRgKMSAT1NOBzHG=Vr-4MN79SNg@mail.gmail.com\0" - "ref\0CACdnJuuYasij2_JAvdvof-8PRgKMSAT1NOBzHG=Vr-4MN79SNg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org\0" - "From\0James Bottomley <James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>\0" + "From\0James Bottomley <James.Bottomley@hansenpartnership.com>\0" "Subject\0Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown\0" "Date\0Tue, 14 Nov 2017 14:31:36 -0800\0" - "To\0Matthew Garrett <mjg59-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>\0" - "Cc\0Luis R. Rodriguez <mcgrof-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>" - Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> - Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org> - Mimi Zohar <zohar-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org> - David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> - Alan Cox <gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org> + "To\0Matthew Garrett <mjg59@google.com>\0" + "Cc\0Luis R. Rodriguez <mcgrof@kernel.org>" + Linus Torvalds <torvalds@linux-foundation.org> + Johannes Berg <johannes@sipsolutions.net> + Mimi Zohar <zohar@linux.vnet.ibm.com> + David Howells <dhowells@redhat.com> + Alan Cox <gnomes@lxorguk.ukuu.org.uk> AKASHI - Takahiro <takahiro.akashi-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> - Greg Kroah-Hartman <gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org> - Jan Blunck <jblunck-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> - Julia Lawall <julia.lawall-L2FTfq7BK8M@public.gmane.org> - Marcus Meissner <meissner-l3A5Bk7waGM@public.gmane.org> - Gary Lin <GLin-IBi9RG/b67k@public.gmane.org> - LSM List <linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - linux-efi <linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org> - " Linux Kernel Mailing List <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>\0" + Takahiro <takahiro.akashi@linaro.org> + Greg Kroah-Hartman <gregkh@linuxfoundation.org> + Jan Blunck <jblunck@infradead.org> + Julia Lawall <julia.lawall@lip6.fr> + Marcus Meissner <meissner@suse.de> + Gary Lin <GLin@suse.com> + LSM List <linux-security-module@vger.kernel.org> + linux-efi <linux-efi@vger.kernel.org> + " Linux Kernel Mailing List <linux-kernel@vger.kernel.org>\0" "\00:1\0" "b\0" "On Tue, 2017-11-14 at 14:17 -0800, Matthew Garrett wrote:\n" "> On Tue, Nov 14, 2017 at 2:14 PM, James Bottomley\n" - "> <James.Bottomley-JuX6DAaQMKPCXq6kfMZ53/egYHeGw8Jk@public.gmane.org> wrote:\n" + "> <James.Bottomley@hansenpartnership.com> wrote:\n" "> > \n" "> > On Tue, 2017-11-14 at 15:55 -0500, Matthew Garrett wrote:\n" "> > > \n" @@ -77,4 +76,4 @@ "\n" James -3d1f78782c7d607e39094872f792569f311d756490946f5a13345272d48b0505 +fb53052b332d74dae3e0ebac9b95e949ee045b1b8920ae730db7a1a4c0ae01e3
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.