diff for duplicates of <1533325650.4337.527.camel@linux.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 5360b58..f29fa96 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -26,7 +26,7 @@ On Fri, 2018-08-03 at 11:16 -0500, Seth Forshee wrote: > > > CONFIG_KEXEC_VERIFY_SIG is enabled, since it effectively renders that > > > option impotent? Or has that idea already been rejected? > > -> > Agreed! We can modify the "case LOADING_KEXEC_IMAGE" in +> > Agreed! We can modify the "case LOADING_KEXEC_IMAGE" in > > ima_load_data() to prevent the kexec_load based on > > CONFIG_KEXEC_VERIFY_SIG. > > @@ -44,9 +44,9 @@ On Fri, 2018-08-03 at 11:16 -0500, Seth Forshee wrote: > whether or not the kernel was booted under secure boot. That might be > reasonable, though I still find this mechanism kind of awkward. -Right, the above change is almost right. Instead of preventing the +Right, the above change is almost right. Instead of preventing the kexec_load syscall based on CONFIG_KEXEC_VERIFY_SIG it should be based -on a runtime secure boot flag. Only if there is an arch specific +on a runtime secure boot flag. Only if there is an arch specific secure boot function and the secure boot flag is enabled, would the kexec_load be disabled. diff --git a/a/content_digest b/N1/content_digest index 292d338..0ba281f 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -44,7 +44,7 @@ "> > > CONFIG_KEXEC_VERIFY_SIG is enabled, since it effectively renders that\n" "> > > option impotent? Or has that idea already been rejected?\n" "> > \n" - "> > Agreed! \302\240We can modify the \"case LOADING_KEXEC_IMAGE\" in\n" + "> > Agreed! We can modify the \"case LOADING_KEXEC_IMAGE\" in\n" "> > ima_load_data() to prevent the kexec_load based on\n" "> > CONFIG_KEXEC_VERIFY_SIG.\n" "> > \n" @@ -62,9 +62,9 @@ "> whether or not the kernel was booted under secure boot. That might be\n" "> reasonable, though I still find this mechanism kind of awkward.\n" "\n" - "Right, the above change is almost right. \302\240Instead of preventing the\n" + "Right, the above change is almost right. Instead of preventing the\n" "kexec_load syscall based on CONFIG_KEXEC_VERIFY_SIG it should be based\n" - "on a runtime secure boot flag. \302\240Only if there is an arch specific\n" + "on a runtime secure boot flag. Only if there is an arch specific\n" "secure boot function and the secure boot flag is enabled, would the\n" "kexec_load be disabled.\n" "\n" @@ -82,4 +82,4 @@ "\n" Mimi -81e22f6a7d667582603b064aa77a7296a978875ec3ba15b78ba25b78649e32e9 +0177f89322f2dd54ef6bf1bfa0841109b8d315c26594db0b1cafab4c721f4c42
diff --git a/a/1.txt b/N2/1.txt index 5360b58..d1e93eb 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -26,7 +26,7 @@ On Fri, 2018-08-03 at 11:16 -0500, Seth Forshee wrote: > > > CONFIG_KEXEC_VERIFY_SIG is enabled, since it effectively renders that > > > option impotent? Or has that idea already been rejected? > > -> > Agreed! We can modify the "case LOADING_KEXEC_IMAGE" in +> > Agreed! ?We can modify the "case LOADING_KEXEC_IMAGE" in > > ima_load_data() to prevent the kexec_load based on > > CONFIG_KEXEC_VERIFY_SIG. > > @@ -44,9 +44,9 @@ On Fri, 2018-08-03 at 11:16 -0500, Seth Forshee wrote: > whether or not the kernel was booted under secure boot. That might be > reasonable, though I still find this mechanism kind of awkward. -Right, the above change is almost right. Instead of preventing the +Right, the above change is almost right. ?Instead of preventing the kexec_load syscall based on CONFIG_KEXEC_VERIFY_SIG it should be based -on a runtime secure boot flag. Only if there is an arch specific +on a runtime secure boot flag. ?Only if there is an arch specific secure boot function and the secure boot flag is enabled, would the kexec_load be disabled. @@ -63,3 +63,8 @@ methods, only if CONFIG_KEXEC_VERIFY_SIG is not enabled would an IMA architecture specific rule be defined. Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N2/content_digest index 292d338..00abb34 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -3,17 +3,10 @@ "ref\020180803131129.GS3001@ubuntu-xps13\0" "ref\01533308099.4337.424.camel@linux.ibm.com\0" "ref\020180803161636.GX3001@ubuntu-xps13\0" - "From\0Mimi Zohar <zohar@linux.ibm.com>\0" - "Subject\0Re: [PATCH 3/4] ima: add support for KEXEC_ORIG_KERNEL_CHECK\0" + "From\0zohar@linux.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH 3/4] ima: add support for KEXEC_ORIG_KERNEL_CHECK\0" "Date\0Fri, 03 Aug 2018 15:47:30 -0400\0" - "To\0Seth Forshee <seth.forshee@canonical.com>\0" - "Cc\0Eric Richter <erichte@linux.vnet.ibm.com>" - linux-integrity <linux-integrity@vger.kernel.org> - linux-security-module <linux-security-module@vger.kernel.org> - linux-efi <linux-efi@vger.kernel.org> - linux-kernel <linux-kernel@vger.kernel.org> - David Howells <dhowells@redhat.com> - " Justin Forbes <jforbes@redhat.com>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Fri, 2018-08-03 at 11:16 -0500, Seth Forshee wrote:\n" @@ -44,7 +37,7 @@ "> > > CONFIG_KEXEC_VERIFY_SIG is enabled, since it effectively renders that\n" "> > > option impotent? Or has that idea already been rejected?\n" "> > \n" - "> > Agreed! \302\240We can modify the \"case LOADING_KEXEC_IMAGE\" in\n" + "> > Agreed! ?We can modify the \"case LOADING_KEXEC_IMAGE\" in\n" "> > ima_load_data() to prevent the kexec_load based on\n" "> > CONFIG_KEXEC_VERIFY_SIG.\n" "> > \n" @@ -62,9 +55,9 @@ "> whether or not the kernel was booted under secure boot. That might be\n" "> reasonable, though I still find this mechanism kind of awkward.\n" "\n" - "Right, the above change is almost right. \302\240Instead of preventing the\n" + "Right, the above change is almost right. ?Instead of preventing the\n" "kexec_load syscall based on CONFIG_KEXEC_VERIFY_SIG it should be based\n" - "on a runtime secure boot flag. \302\240Only if there is an arch specific\n" + "on a runtime secure boot flag. ?Only if there is an arch specific\n" "secure boot function and the secure boot flag is enabled, would the\n" "kexec_load be disabled.\n" "\n" @@ -80,6 +73,11 @@ "methods, only if CONFIG_KEXEC_VERIFY_SIG is not enabled would an IMA\n" "architecture specific rule be defined.\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -81e22f6a7d667582603b064aa77a7296a978875ec3ba15b78ba25b78649e32e9 +6fc0d386a0ffe25ce97ecba77da88f5f4d6a2d934a63cbacf48f8e83bfb47bdf
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.