From: Vojtech Pavlik <vojtech@suse.cz>
To: Balbir Singh <bsingharora@gmail.com>
Cc: Jiri Kosina <jkosina@suse.cz>,
Seth Jennings <sjenning@redhat.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Steven Rostedt <rostedt@goodmis.org>,
Petr Mladek <pmladek@suse.cz>, Miroslav Benes <mbenes@suse.cz>,
Christoph Hellwig <hch@infradead.org>,
Greg KH <gregkh@linuxfoundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com>,
live-patching@vger.kernel.org, x86@kernel.org, kpatch@redhat.com,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCHv7 0/3] Kernel Live Patching
Date: Wed, 17 Dec 2014 13:40:58 +0100 [thread overview]
Message-ID: <20141217124058.GC2433@suse.cz> (raw)
In-Reply-To: <CAKTCnz=tA9LyGpOvM9LyBp+oBDTsW6t+=2C80On+-ysfRBpDqg@mail.gmail.com>
On Wed, Dec 17, 2014 at 01:22:21PM +0530, Balbir Singh wrote:
> On Wed, Dec 17, 2014 at 12:16 PM, Jiri Kosina <jkosina@suse.cz> wrote:
> > On Wed, 17 Dec 2014, Balbir Singh wrote:
> >
> >> >> Could you describe what this does to signing? I presume the patched
> >> >> module should cause a taint on module signing?
> >> >
> >> > Hmm, why should it?
> >>
> >> I wanted to clarify it from a different perspective
> >>
> >> If the base image is signed by X and the patched module is signed by
> >> Y, is that supported. What does it imply in the case of live-patching?
> >
> > Why should that matter? Both are signed by keys that kernel is configured
> > to trust, which makes them equal (even though they are technically
> > different).
> >
>
> I am not sure they are equal, others can comment
Since any loaded kernel module can do virtually anything on a machine,
there can only be one level of trust. As such, all trusted keys are
equally trusted.
--
Vojtech Pavlik
Director SUSE Labs
next prev parent reply other threads:[~2014-12-17 12:41 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-16 17:58 [PATCHv7 0/3] Kernel Live Patching Seth Jennings
2014-12-16 17:58 ` [PATCHv7 1/3] kernel: add TAINT_LIVEPATCH Seth Jennings
2014-12-17 14:06 ` Miroslav Benes
2014-12-17 15:15 ` Petr Mladek
2014-12-18 11:44 ` Masami Hiramatsu
2014-12-18 15:52 ` Jiri Kosina
2014-12-19 3:36 ` Masami Hiramatsu
2014-12-16 17:58 ` [PATCHv7 2/3] kernel: add support for live patching Seth Jennings
2014-12-16 18:46 ` Balbir Singh
2014-12-16 19:41 ` Seth Jennings
2014-12-17 14:09 ` Miroslav Benes
2014-12-18 13:36 ` Petr Mladek
2014-12-19 5:37 ` [kpatch] [PATCH] livepatch v7: move x86 specific ftrace handler code to arch/x86 Li Bin
2014-12-19 6:12 ` Li Bin
2014-12-19 6:11 ` Li Bin
2014-12-19 7:31 ` Jiri Kosina
2014-12-19 14:23 ` Josh Poimboeuf
2014-12-19 7:39 ` [PATCHv7 2/3] kernel: add support for live patching Jiri Kosina
2014-12-16 17:58 ` [PATCHv7 3/3] samples: add sample live patching module Seth Jennings
2014-12-17 14:06 ` Miroslav Benes
2014-12-17 15:23 ` Petr Mladek
2014-12-16 18:15 ` [PATCHv7 0/3] Kernel Live Patching Balbir Singh
2014-12-16 19:05 ` Seth Jennings
2014-12-17 3:42 ` Balbir Singh
2014-12-16 20:14 ` Jiri Kosina
2014-12-17 3:43 ` Balbir Singh
2014-12-17 6:46 ` Jiri Kosina
2014-12-17 7:52 ` Balbir Singh
2014-12-17 12:40 ` Vojtech Pavlik [this message]
2014-12-17 16:21 ` Josh Poimboeuf
2014-12-18 15:56 ` Josh Poimboeuf
2014-12-18 11:55 ` Masami Hiramatsu
2014-12-18 15:49 ` [PATCH] livepatch: use FTRACE_OPS_FL_IPMODIFY Josh Poimboeuf
2014-12-19 3:34 ` Masami Hiramatsu
2014-12-19 9:43 ` Petr Mladek
2014-12-22 17:34 ` Petr Mladek
2014-12-22 17:41 ` Josh Poimboeuf
2014-12-22 19:44 ` [PATCHv7 0/3] Kernel Live Patching Jiri Kosina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141217124058.GC2433@suse.cz \
--to=vojtech@suse.cz \
--cc=bsingharora@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=jkosina@suse.cz \
--cc=jpoimboe@redhat.com \
--cc=kpatch@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=live-patching@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=masami.hiramatsu.pt@hitachi.com \
--cc=mbenes@suse.cz \
--cc=pmladek@suse.cz \
--cc=rostedt@goodmis.org \
--cc=sjenning@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.