From: Jean Delvare <jdelvare@suse.de>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>, Thomas <trenn@suse.de>,
LKML <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>
Subject: Re: /dev/mem and secure boot
Date: Mon, 9 Sep 2019 15:09:57 +0200 [thread overview]
Message-ID: <20190909150957.12abe684@endymion> (raw)
In-Reply-To: <20190906121510.GA17328@kroah.com>
Hi Greg,
On Fri, 6 Sep 2019 14:15:10 +0200, Greg Kroah-Hartman wrote:
> On Fri, Sep 06, 2019 at 01:02:21PM +0200, Jean Delvare wrote:
> > I've been bitten recently by mcelog not working on machines started in
> > secure boot mode. mcelog tries to read DMI information from /dev/mem
> > and fails to open it.
>
> What do you mean by "secure boot"? Is this matthew's patchset that
> restricts /dev/mem/ or something else?
I mean that early in the kernel log is:
Secure boot enabled and kernel locked down
Digging it up, I found that this comes from a patch in our SLES kernel,
that's not upstream (yet). It is from a patch set by David Howells
(Cc'd) posted in April 2017:
https://patchwork.kernel.org/patch/9665591/
https://patchwork.kernel.org/patch/9665015/
I wrongly assumed it had been merged upstream meanwhile but I was
wrong. David, any reason why this didn't happen? Out of curiosity, are
these patches in RHEL kernels?
> > This made me wonder: if not even root can read /dev/mem (nor, I
> > suppose, /dev/kmem and /dev/port) in secure boot mode, why are we
> > creating these device nodes at all in the first place? Can't we detect
> > that we are in secure boot mode and skip that step, and reap the rewards
> > (faster boot, lower memory footprint and less confusion)?
>
> Sure, feel free to not register it at all if the mode is enabled.
Now I feel sorry that I asked my question upstream when there's nothing
to be done there. I'll go bother SUSE kernel folks instead, sorry for
the noise. And thanks for the advice.
--
Jean Delvare
SUSE L3 Support
next prev parent reply other threads:[~2019-09-09 13:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-06 11:02 /dev/mem and secure boot Jean Delvare
2019-09-06 12:15 ` Greg Kroah-Hartman
2019-09-06 15:07 ` Jean Delvare
2019-09-06 15:08 ` Jean Delvare
2019-09-09 13:09 ` Jean Delvare [this message]
2019-09-12 10:44 ` Thomas Renninger
2019-09-16 9:38 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190909150957.12abe684@endymion \
--to=jdelvare@suse.de \
--cc=arnd@arndb.de \
--cc=dhowells@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=trenn@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.