diff for duplicates of <1525202847.5669.64.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index a89f6c9..ba2dc7f 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -38,8 +38,8 @@ On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote: > given that the quite old FIRMWARE_PREALLOC_BUFFER is > still not supported / checked properly by the security code. -I posted patches earlier today[1], which address this. Patch 5/6 just -makes it equivalent to READING_FIRMWARE. Patch 6/6 questions whether +I posted patches earlier today[1], which address this. ?Patch 5/6 just +makes it equivalent to READING_FIRMWARE. ?Patch 6/6 questions whether the device has access to the pre-allocated buffer *before* the signature has been verified. @@ -71,14 +71,19 @@ not sure it makes much of a difference. > > The pre read call is for deciding whether to allow this call > > independent of the firmware being loaded, whereas the post security > > call is currently being used by IMA-appraisal for verifying a -> > signature. There might be other LSMs using the post hook as well. As +> > signature. ?There might be other LSMs using the post hook as well. ?As > > there is no kernel signature associated with this firmware, use the > > security pre read_file hook. > > Only the pre hook? I believe the post-hook should still be called too, > right? So that we've hashes of all loaded firmwares in the IMA core. -Good catch! Right, if IMA-measurement is enabled, then we would want +Good catch! ?Right, if IMA-measurement is enabled, then we would want to add the measurement. Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 16be99c..b468a3d 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -2,36 +2,10 @@ "ref\020180429093558.5411-3-hdegoede@redhat.com\0" "ref\01525185374.5669.49.camel@linux.vnet.ibm.com\0" "ref\0dc122066-9973-a1be-3456-6d6181a8fc9f@redhat.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH v5 2/5] efi: Add embedded peripheral firmware support\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH v5 2/5] efi: Add embedded peripheral firmware support\0" "Date\0Tue, 01 May 2018 15:27:27 -0400\0" - "To\0Hans de Goede <hdegoede@redhat.com>" - Ard Biesheuvel <ard.biesheuvel@linaro.org> - Luis R . Rodriguez <mcgrof@kernel.org> - Greg Kroah-Hartman <gregkh@linuxfoundation.org> - Thomas Gleixner <tglx@linutronix.de> - Ingo Molnar <mingo@redhat.com> - " H . Peter Anvin <hpa@zytor.com>\0" - "Cc\0Peter Jones <pjones@redhat.com>" - Dave Olsthoorn <dave@bewaar.me> - Will Deacon <will.deacon@arm.com> - Andy Lutomirski <luto@kernel.org> - Matt Fleming <matt@codeblueprint.co.uk> - David Howells <dhowells@redhat.com> - Josh Triplett <josh@joshtriplett.org> - dmitry.torokhov@gmail.com - mfuzzey@parkeon.com - Kalle Valo <kvalo@codeaurora.org> - Arend Van Spriel <arend.vanspriel@broadcom.com> - Linus Torvalds <torvalds@linux-foundation.org> - nbroeking@me.com - bjorn.andersson@linaro.org - Torsten Duwe <duwe@suse.de> - Kees Cook <keescook@chromium.org> - x86@kernel.org - linux-efi@vger.kernel.org - linux-kernel@vger.kernel.org - " linux-security-module <linux-security-module@vger.kernel.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Tue, 2018-05-01 at 21:11 +0200, Hans de Goede wrote:\n" @@ -74,8 +48,8 @@ "> given that the quite old FIRMWARE_PREALLOC_BUFFER is\n" "> still not supported / checked properly by the security code.\n" "\n" - "I posted patches earlier today[1], which address this. \302\240Patch 5/6 just\n" - "makes it equivalent to READING_FIRMWARE. \302\240Patch 6/6 questions whether\n" + "I posted patches earlier today[1], which address this. ?Patch 5/6 just\n" + "makes it equivalent to READING_FIRMWARE. ?Patch 6/6 questions whether\n" "the device has access to the pre-allocated buffer *before* the\n" "signature has been verified.\n" "\n" @@ -107,16 +81,21 @@ "> > The pre read call is for deciding whether to allow this call\n" "> > independent of the firmware being loaded, whereas the post security\n" "> > call is currently being used by IMA-appraisal for verifying a\n" - "> > signature. \302\240There might be other LSMs using the post hook as well. \302\240As\n" + "> > signature. ?There might be other LSMs using the post hook as well. ?As\n" "> > there is no kernel signature associated with this firmware, use the\n" "> > security pre read_file hook.\n" "> \n" "> Only the pre hook? I believe the post-hook should still be called too,\n" "> right? So that we've hashes of all loaded firmwares in the IMA core.\n" "\n" - "Good catch! \302\240Right, if IMA-measurement is enabled, then we would want\n" + "Good catch! ?Right, if IMA-measurement is enabled, then we would want\n" "to add the measurement.\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -b4a2dfa1dc8d3fa674426894387c4653034f4494676602cad5aa57ca4c637db6 +e3442a91c38beb90055acb1bdb98f4b69701718d0281cb61c379cc6806a51464
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.