diff for duplicates of <1526349751.3937.78.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index b3c1c5d..b0cf757 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -2,10 +2,10 @@ On Mon, 2018-05-14 at 19:28 +0000, Luis R. Rodriguez wrote: [...] -> > At runtime, in the case +> >?At runtime, in the case > > that regdb is enabled and a custom policy requires IMA-appraisal > > firmware signature verification, then both signature verification -> > methods will verify the signatures. If either fails, then the +> > methods will verify the signatures. ?If either fails, then the > > signature verification will fail. > > OK so you're saying that if CONFIG_IMA_APPRAISE_FIRMWARE is disabled you can @@ -25,14 +25,14 @@ Right > built-in policy on the boot command line. No, there are a couple of policies predefined in the kernel that can -be loaded by specifying them on the boot command line. A custom -policy can be loaded later. Only after specifying a policy on the +be loaded by specifying them on the boot command line. ?A custom +policy can be loaded later. ?Only after specifying a policy on the boot command line or loading a custom policy, does IMA do anything. > > - CONFIG_IMA_APPRAISE is not fine enough grained. > > -> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar +> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. ?Similar > > Kconfig options will require kernel modules, kexec'ed image, and the > > IMA policy to be signed. > @@ -59,7 +59,7 @@ The kernel is verifying signatures. > firmware signing facility. In order for IMA-appraisal to verify firmware signatures, the -signatures need to be distributed with the firmware. Perhaps this +signatures need to be distributed with the firmware. ?Perhaps this will be enough of an incentive for distros to start including firmware signatures in the packages. @@ -67,8 +67,13 @@ signatures in the packages. > I'm happy to hear it. The functionality has been there since commit 5a9196d ("ima: add -support for measuring and appraising firmware"). The +support for measuring and appraising firmware"). ?The security_kernel_fw_from_file() hook was later replaced with the generic security_kernel_read_file() hook. Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 20766f6..f3c3377 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -9,49 +9,20 @@ "ref\020180511215250.GJ27853@wotan.suse.de\0" "ref\01526302692.3898.145.camel@linux.vnet.ibm.com\0" "ref\020180514192853.GM27853@wotan.suse.de\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 3/6] firmware: differentiate between signed regulatory.db and other firmware\0" "Date\0Mon, 14 May 2018 22:02:31 -0400\0" - "To\0Luis R. Rodriguez <mcgrof@kernel.org>" - Harald Hoyer <harald@redhat.com> - Hannes Reinecke <hare@suse.de> - " Johannes Thumshirn <jthumshirn@suse.de>\0" - "Cc\0Eric W. Biederman <ebiederm@xmission.com>" - Casey Schaufler <casey@schaufler-ca.com> - Alexei Starovoitov <ast@kernel.org> - David Miller <davem@davemloft.net> - Jessica Yu <jeyu@kernel.org> - Al Viro <viro@zeniv.linux.org.uk> - One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk> - Matthew Garrett <mjg59@srcf.ucam.org> - Peter Jones <pjones@redhat.com> - AKASHI - Takahiro <takahiro.akashi@linaro.org> - David Howells <dhowells@redhat.com> - linux-wireless <linux-wireless@vger.kernel.org> - Kalle Valo <kvalo@codeaurora.org> - Seth Forshee <seth.forshee@canonical.com> - Johannes Berg <johannes.berg@intel.com> - linux-integrity@vger.kernel.org - Hans de Goede <hdegoede@redhat.com> - Ard Biesheuvel <ard.biesheuvel@linaro.org> - linux-security-module@vger.kernel.org - linux-kernel@vger.kernel.org - Kees Cook <keescook@chromium.org> - Greg Kroah-Hartman <gregkh@linuxfoundation.org> - Andres Rodriguez <andresx7@gmail.com> - Linus Torvalds <torvalds@linux-foundation.org> - " Andy Lutomirski <luto@kernel.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Mon, 2018-05-14 at 19:28 +0000, Luis R. Rodriguez wrote:\n" "\n" "[...] \n" "\n" - "> > At runtime, in the case\n" + "> >?At runtime, in the case\n" "> > that regdb is enabled and a custom policy requires IMA-appraisal\n" "> > firmware signature verification, then both signature verification\n" - "> > methods will verify the signatures. If either fails, then the\n" + "> > methods will verify the signatures. ?If either fails, then the\n" "> > signature verification will fail.\n" "> \n" "> OK so you're saying that if CONFIG_IMA_APPRAISE_FIRMWARE is disabled you can\n" @@ -71,14 +42,14 @@ "> built-in policy on the boot command line.\n" "\n" "No, there are a couple of policies predefined in the kernel that can\n" - "be loaded by specifying them on the boot command line. A custom\n" - "policy can be loaded later. Only after specifying a policy on the\n" + "be loaded by specifying them on the boot command line. ?A custom\n" + "policy can be loaded later. ?Only after specifying a policy on the\n" "boot command line or loading a custom policy, does IMA do anything.\n" "\n" "\n" "> > - CONFIG_IMA_APPRAISE is not fine enough grained.\n" "> > \n" - "> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar\n" + "> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. ?Similar\n" "> > Kconfig options will require kernel modules, kexec'ed image, and the\n" "> > IMA policy to be signed.\n" "> \n" @@ -105,7 +76,7 @@ "> firmware signing facility.\n" "\n" "In order for IMA-appraisal to verify firmware signatures, the\n" - "signatures need to be distributed with the firmware. Perhaps this\n" + "signatures need to be distributed with the firmware. ?Perhaps this\n" "will be enough of an incentive for distros to start including firmware\n" "signatures in the packages.\n" "\n" @@ -113,10 +84,15 @@ "> I'm happy to hear it.\n" "\n" "The functionality has been there since commit 5a9196d (\"ima: add\n" - "support for measuring and appraising firmware\"). The\n" + "support for measuring and appraising firmware\"). ?The\n" "security_kernel_fw_from_file() hook was later replaced with the\n" "generic security_kernel_read_file() hook.\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -4715ff47c0fa0f211ccf39b8df0f7e7fba1a6107f144afb91bac1f3d9ed6caec +c477facb8e0b047be5d09810057c88aca12bcf0dca76649e3a96d38bb70da220
diff --git a/a/1.txt b/N2/1.txt index b3c1c5d..ebcb676 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -2,10 +2,10 @@ On Mon, 2018-05-14 at 19:28 +0000, Luis R. Rodriguez wrote: [...] -> > At runtime, in the case +> > At runtime, in the case > > that regdb is enabled and a custom policy requires IMA-appraisal > > firmware signature verification, then both signature verification -> > methods will verify the signatures. If either fails, then the +> > methods will verify the signatures. If either fails, then the > > signature verification will fail. > > OK so you're saying that if CONFIG_IMA_APPRAISE_FIRMWARE is disabled you can @@ -25,14 +25,14 @@ Right > built-in policy on the boot command line. No, there are a couple of policies predefined in the kernel that can -be loaded by specifying them on the boot command line. A custom -policy can be loaded later. Only after specifying a policy on the +be loaded by specifying them on the boot command line. A custom +policy can be loaded later. Only after specifying a policy on the boot command line or loading a custom policy, does IMA do anything. > > - CONFIG_IMA_APPRAISE is not fine enough grained. > > -> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar +> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar > > Kconfig options will require kernel modules, kexec'ed image, and the > > IMA policy to be signed. > @@ -59,7 +59,7 @@ The kernel is verifying signatures. > firmware signing facility. In order for IMA-appraisal to verify firmware signatures, the -signatures need to be distributed with the firmware. Perhaps this +signatures need to be distributed with the firmware. Perhaps this will be enough of an incentive for distros to start including firmware signatures in the packages. @@ -67,7 +67,7 @@ signatures in the packages. > I'm happy to hear it. The functionality has been there since commit 5a9196d ("ima: add -support for measuring and appraising firmware"). The +support for measuring and appraising firmware"). The security_kernel_fw_from_file() hook was later replaced with the generic security_kernel_read_file() hook. diff --git a/a/content_digest b/N2/content_digest index 20766f6..104edaf 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -48,10 +48,10 @@ "\n" "[...] \n" "\n" - "> > At runtime, in the case\n" + "> >\302\240At runtime, in the case\n" "> > that regdb is enabled and a custom policy requires IMA-appraisal\n" "> > firmware signature verification, then both signature verification\n" - "> > methods will verify the signatures. If either fails, then the\n" + "> > methods will verify the signatures. \302\240If either fails, then the\n" "> > signature verification will fail.\n" "> \n" "> OK so you're saying that if CONFIG_IMA_APPRAISE_FIRMWARE is disabled you can\n" @@ -71,14 +71,14 @@ "> built-in policy on the boot command line.\n" "\n" "No, there are a couple of policies predefined in the kernel that can\n" - "be loaded by specifying them on the boot command line. A custom\n" - "policy can be loaded later. Only after specifying a policy on the\n" + "be loaded by specifying them on the boot command line. \302\240A custom\n" + "policy can be loaded later. \302\240Only after specifying a policy on the\n" "boot command line or loading a custom policy, does IMA do anything.\n" "\n" "\n" "> > - CONFIG_IMA_APPRAISE is not fine enough grained.\n" "> > \n" - "> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. Similar\n" + "> > The CONFIG_IMA_APPRAISE_FIRMWARE will be a Kconfig option. \302\240Similar\n" "> > Kconfig options will require kernel modules, kexec'ed image, and the\n" "> > IMA policy to be signed.\n" "> \n" @@ -105,7 +105,7 @@ "> firmware signing facility.\n" "\n" "In order for IMA-appraisal to verify firmware signatures, the\n" - "signatures need to be distributed with the firmware. Perhaps this\n" + "signatures need to be distributed with the firmware. \302\240Perhaps this\n" "will be enough of an incentive for distros to start including firmware\n" "signatures in the packages.\n" "\n" @@ -113,10 +113,10 @@ "> I'm happy to hear it.\n" "\n" "The functionality has been there since commit 5a9196d (\"ima: add\n" - "support for measuring and appraising firmware\"). The\n" + "support for measuring and appraising firmware\"). \302\240The\n" "security_kernel_fw_from_file() hook was later replaced with the\n" "generic security_kernel_read_file() hook.\n" "\n" Mimi -4715ff47c0fa0f211ccf39b8df0f7e7fba1a6107f144afb91bac1f3d9ed6caec +190ff33a57c51555798f67836640b754a6e1eee025378f590d3a0769afe94e5a
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.