From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
Cc: James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>,
Pavel Machek <pavel-+ZI9xUNit7I@public.gmane.org>,
Chris Friesen
<chris.friesen-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>,
Eric Paris <eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org>,
Jiri Kosina <jkosina-AlSwsSmVLrQ@public.gmane.org>,
Oliver Neukum <oneukum-l3A5Bk7waGM@public.gmane.org>,
Alan Cox <alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>,
Josh Boyer <jwboyer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Sun, 04 Nov 2012 22:14:44 -0800 [thread overview]
Message-ID: <87d2zsmv8r.fsf@xmission.com> (raw)
In-Reply-To: <20121104135251.GA17894-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org> (Matthew Garrett's message of "Sun, 4 Nov 2012 13:52:51 +0000")
Matthew Garrett <mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org> writes:
> On Sun, Nov 04, 2012 at 09:14:47AM +0000, James Bottomley wrote:
>
>> I've actually had more than enough experience with automated installs
>> over my career: they're either done by paying someone or using a
>> provisioning system. In either case, they provision a static image and
>> boot environment description, including EFI boot services variables, so
>> you can provision a default MOK database if you want the ignition image
>> not to pause on firstboot.
>
> And now you've moved the attack vector to a copy of your provisioning
> system instead.
>
>> There is obviously the question of making the provisioning systems
>> secure, but it's a separate one from making boot secure.
>
> You don't get to punt on making the kernel secure by simply asserting
> that some other system can be secure instead. The chain of trust needs
> to go all the way back - if your security model is based on all installs
> needing a physically present end user, all installs need a physically
> present end user. That's not acceptable, so we need a different security
> model.
Bzzzt. Theory and reality disagreeing.
I have done a lot of automatic installs. At the very least someone has
to be present to apply power to the hardware. So someone being present
is not a requirement you can remove.
Furthermore in most cases an automatic install requires kicking the
system into network boot mode or into inserting an install cd. Both are
actions that require a user to be present.
The goal is to reduce what a user must do to a minimum to remove the
possibility of human error, not to reduce what must happen into
absurdity.
The other side is that a general purpose configuration of firmware
almost never is suitable for a general install. So either some small
amount of time must be spent fixing the BIOS settings or have an
appropriate set of BIOS settings come from your supplier.
In practice what I would expect of a UEFI system that ships ready for
automatic installs is a system that initiall boots up in "setup mode"
where it is possible to install your own platform signing key.
What I would expect to happen in that situation is that during the first
boot software would come over the network or from an install cd and
install my platform signing key. Then a bootloader signed with my key
would be installed, and then everything would chain from there.
In most cases where I would be setting up an automatic install I would
not install Microsoft's key, and I would definitely not sign my
bootloader with Microsoft's key. At most I would sign my own "key
install" with Microsoft's key.
Then in cases of automatic reinstallation my key would be in the
firmware and I could change my bootloader and my kernels at will
with no risk that some third party could do anything to the machine
unless they manged to get physical access.
If I was a distroy my key would that I would install by default would be
the distro's signing key. Although honestly I would still prefer a
solution where I could lock things down a little farther.
In any case the notion that unattended install with no user interaction
on any uefi machine in any state is complete and total rubbish. It
can't be done. You need power and you need boot media.
Eric
WARNING: multiple messages have this Message-ID (diff)
From: ebiederm@xmission.com (Eric W. Biederman)
To: Matthew Garrett <mjg59@srcf.ucam.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
Pavel Machek <pavel@ucw.cz>,
Chris Friesen <chris.friesen@genband.com>,
Eric Paris <eparis@parisplace.org>, Jiri Kosina <jkosina@suse.cz>,
Oliver Neukum <oneukum@suse.de>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Josh Boyer <jwboyer@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Sun, 04 Nov 2012 22:14:44 -0800 [thread overview]
Message-ID: <87d2zsmv8r.fsf@xmission.com> (raw)
In-Reply-To: <20121104135251.GA17894@srcf.ucam.org> (Matthew Garrett's message of "Sun, 4 Nov 2012 13:52:51 +0000")
Matthew Garrett <mjg59@srcf.ucam.org> writes:
> On Sun, Nov 04, 2012 at 09:14:47AM +0000, James Bottomley wrote:
>
>> I've actually had more than enough experience with automated installs
>> over my career: they're either done by paying someone or using a
>> provisioning system. In either case, they provision a static image and
>> boot environment description, including EFI boot services variables, so
>> you can provision a default MOK database if you want the ignition image
>> not to pause on firstboot.
>
> And now you've moved the attack vector to a copy of your provisioning
> system instead.
>
>> There is obviously the question of making the provisioning systems
>> secure, but it's a separate one from making boot secure.
>
> You don't get to punt on making the kernel secure by simply asserting
> that some other system can be secure instead. The chain of trust needs
> to go all the way back - if your security model is based on all installs
> needing a physically present end user, all installs need a physically
> present end user. That's not acceptable, so we need a different security
> model.
Bzzzt. Theory and reality disagreeing.
I have done a lot of automatic installs. At the very least someone has
to be present to apply power to the hardware. So someone being present
is not a requirement you can remove.
Furthermore in most cases an automatic install requires kicking the
system into network boot mode or into inserting an install cd. Both are
actions that require a user to be present.
The goal is to reduce what a user must do to a minimum to remove the
possibility of human error, not to reduce what must happen into
absurdity.
The other side is that a general purpose configuration of firmware
almost never is suitable for a general install. So either some small
amount of time must be spent fixing the BIOS settings or have an
appropriate set of BIOS settings come from your supplier.
In practice what I would expect of a UEFI system that ships ready for
automatic installs is a system that initiall boots up in "setup mode"
where it is possible to install your own platform signing key.
What I would expect to happen in that situation is that during the first
boot software would come over the network or from an install cd and
install my platform signing key. Then a bootloader signed with my key
would be installed, and then everything would chain from there.
In most cases where I would be setting up an automatic install I would
not install Microsoft's key, and I would definitely not sign my
bootloader with Microsoft's key. At most I would sign my own "key
install" with Microsoft's key.
Then in cases of automatic reinstallation my key would be in the
firmware and I could change my bootloader and my kernels at will
with no risk that some third party could do anything to the machine
unless they manged to get physical access.
If I was a distroy my key would that I would install by default would be
the distro's signing key. Although honestly I would still prefer a
solution where I could lock things down a little farther.
In any case the notion that unattended install with no user interaction
on any uefi machine in any state is complete and total rubbish. It
can't be done. You need power and you need boot media.
Eric
next prev parent reply other threads:[~2012-11-05 6:14 UTC|newest]
Thread overview: 320+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 14:40 [RFC] Second attempt at kernel secure boot support Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 01/10] Secure boot: Add new capability Matthew Garrett
2012-09-28 3:10 ` Serge Hallyn
[not found] ` <1348152065-31353-2-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-20 0:15 ` joeyli
2012-10-20 0:15 ` joeyli
2012-10-20 9:02 ` Matt Fleming
2012-09-20 14:40 ` [PATCH V2 02/10] PCI: Lock down BAR access in secure boot environments Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 03/10] x86: Lock down IO port " Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem in secure boot setups Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2012-09-20 16:32 ` Greg KH
2012-09-20 17:40 ` Josh Boyer
2012-09-25 13:08 ` [PATCH V3 " Josh Boyer
[not found] ` <20120925130818.GE18546-dHPIJuKSOV01V+h/cAXI7w8O6CCKKCg3HZ5vskTnxNA@public.gmane.org>
2012-10-29 9:00 ` joeyli
2012-10-29 9:00 ` joeyli
2012-10-30 17:48 ` Josh Boyer
2012-10-30 19:27 ` joeyli
2012-09-21 8:20 ` [PATCH V2 " joeyli
2012-09-28 3:20 ` Serge Hallyn
2012-09-20 14:41 ` [PATCH V2 08/10] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2012-09-28 3:21 ` Serge Hallyn
[not found] ` <1348152065-31353-9-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-22 13:22 ` Matt Fleming
2012-10-22 13:22 ` Matt Fleming
2012-09-20 14:41 ` [PATCH V2 09/10] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 10/10] SELinux: define mapping for new Secure Boot capability Matthew Garrett
2012-09-21 22:55 ` [RFC] Second attempt at kernel secure boot support Eric W. Biederman
2012-09-22 15:21 ` Matthew Garrett
[not found] ` <1348152065-31353-1-git-send-email-mjg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-10-29 7:49 ` Jiri Kosina
2012-10-29 7:49 ` Jiri Kosina
[not found] ` <alpine.LRH.2.00.1210290848450.10392-1ReQVI26iDCaZKY3DrU6dA@public.gmane.org>
2012-10-29 17:41 ` Matthew Garrett
2012-10-29 17:41 ` Matthew Garrett
2012-10-31 14:50 ` Jiri Kosina
2012-10-31 14:54 ` Josh Boyer
[not found] ` <CA+5PVA63EHiXbGAox+FmJPvztSj_i7QgnDG8vdj=p0xE+dqgGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-10-31 14:59 ` Shea Levy
2012-10-31 14:59 ` Shea Levy
2012-10-31 15:55 ` Alan Cox
2012-10-31 15:55 ` Alan Cox
[not found] ` <20121031155503.1aaf4c93-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 15:55 ` Jiri Kosina
2012-10-31 15:55 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1210311653080.12781-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-10-31 17:03 ` Alan Cox
2012-10-31 17:03 ` Alan Cox
[not found] ` <20121031170334.59833fb1-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:17 ` Alan Cox
2012-10-31 17:10 ` Matthew Garrett
2012-10-31 17:21 ` Alan Cox
[not found] ` <20121031172121.14cc1215-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:39 ` Alan Cox
2012-10-31 17:37 ` Matthew Garrett
[not found] ` <20121031173750.GB18615-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:45 ` Matthew Garrett
2012-10-31 20:14 ` Oliver Neukum
2012-10-31 21:58 ` Chris Friesen
[not found] ` <50919EED.3020601-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:19 ` Oliver Neukum
2012-11-01 9:08 ` James Bottomley
[not found] ` <1351760905.2391.19.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 9:20 ` Jiri Kosina
2012-11-01 9:20 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211011017230.6606-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-01 9:38 ` James Bottomley
2012-11-01 9:38 ` James Bottomley
[not found] ` <1351762703.2391.31.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:59 ` James Bottomley
2012-11-01 10:06 ` Jiri Kosina
[not found] ` <1351763954.2391.37.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:42 ` James Bottomley
[not found] ` <1351780935.2391.58.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 15:06 ` James Bottomley
[not found] ` <1351782390.2391.69.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 15:17 ` Eric Paris
2012-11-01 15:17 ` Eric Paris
2012-11-01 16:26 ` Matthew Garrett
2012-11-01 15:06 ` Alan Cox
[not found] ` <20121101150654.19efe0b5-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:40 ` Alan Cox
2012-11-01 14:59 ` Eric Paris
2012-11-01 15:11 ` Alan Cox
[not found] ` <CACLa4pvh3v3Mhq8oe3dzRL8ytBgmitPkCGUSfVCR5WdQopjRMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-01 15:18 ` James Bottomley
2012-11-01 15:18 ` James Bottomley
[not found] ` <1351783096.2391.77.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-01 17:50 ` Eric Paris
2012-11-01 17:50 ` Eric Paris
2012-11-01 21:03 ` James Bottomley
2012-11-01 21:06 ` Matthew Garrett
2012-11-01 21:14 ` James Bottomley
2012-11-01 21:18 ` Matthew Garrett
2012-11-01 21:35 ` Alan Cox
2012-11-01 21:31 ` Alan Cox
2012-11-01 21:28 ` Matthew Garrett
[not found] ` <20121101212843.GA20309-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:34 ` Matthew Garrett
2012-11-01 21:58 ` Alan Cox
[not found] ` <20121101215817.79e50ec2-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-01 21:57 ` Matthew Garrett
2012-11-01 21:57 ` Matthew Garrett
[not found] ` <20121101215752.GA21154-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 14:00 ` Matthew Garrett
2012-11-02 22:03 ` Eric W. Biederman
[not found] ` <87liejacix.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-02 22:19 ` Chris Friesen
2012-11-02 22:19 ` Chris Friesen
2012-11-02 23:46 ` Alan Cox
2012-11-03 0:23 ` Matthew Garrett
2012-11-03 0:55 ` Alan Cox
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:47 ` Eric W. Biederman
2012-11-03 1:03 ` Alan Cox
2012-11-03 1:03 ` Alan Cox
[not found] ` <87sj8rwm0p.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 16:31 ` Alan Cox
2012-11-03 16:37 ` Matthew Garrett
2012-11-03 16:37 ` Eric Paris
[not found] ` <CACLa4pt3_Fc5fHKf=ihzV0zDb7zvCyzWp92YLakjGqL7MCaiEA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-03 16:42 ` Matthew Garrett
2012-11-03 16:42 ` Matthew Garrett
2012-11-02 17:19 ` Vivek Goyal
[not found] ` <CACLa4puzLR2om6SHw3wVnfZ1nezVsKOp8+705AdHZ4_=JamYfw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-01 14:46 ` Alan Cox
2012-11-01 14:46 ` Alan Cox
2012-11-01 15:04 ` Eric Paris
2012-11-01 20:27 ` Pavel Machek
2012-11-01 21:02 ` Chris Friesen
[not found] ` <5092E361.7080901-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-02 15:48 ` Vivek Goyal
2012-11-02 15:48 ` Vivek Goyal
[not found] ` <20121102154833.GG3300-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-11-02 16:54 ` Chris Friesen
2012-11-02 16:54 ` Chris Friesen
[not found] ` <5093FADA.2040004-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-02 17:03 ` Vivek Goyal
2012-11-02 17:03 ` Vivek Goyal
2012-11-03 23:09 ` Jiri Kosina
2012-11-03 23:09 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211040008280.24253-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-05 6:38 ` Eric W. Biederman
2012-11-05 6:38 ` Eric W. Biederman
[not found] ` <87390ok0zy.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 15:31 ` Jiri Kosina
2012-11-05 15:37 ` Chris Friesen
2012-11-05 18:22 ` Vivek Goyal
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:52 ` James Bottomley
[not found] ` <1351875164.2439.42.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 17:48 ` James Bottomley
2012-11-02 17:54 ` Matthew Garrett
[not found] ` <20121102175416.GA11816-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 17:57 ` James Bottomley
2012-11-02 17:57 ` James Bottomley
2012-11-02 18:04 ` Matthew Garrett
[not found] ` <20121102180458.GA12052-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 19:18 ` Eric Paris
2012-11-02 19:18 ` Eric Paris
2012-11-02 23:38 ` James Bottomley
2012-11-02 23:38 ` James Bottomley
2012-11-03 0:22 ` Matthew Garrett
2012-11-03 12:03 ` James Bottomley
2012-11-03 13:46 ` Matthew Garrett
[not found] ` <20121103134630.GA28166-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-03 22:56 ` James Bottomley
2012-11-03 22:56 ` James Bottomley
[not found] ` <1351983400.2417.21.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2012-11-04 4:28 ` Matthew Garrett
2012-11-04 4:28 ` Matthew Garrett
[not found] ` <20121104042802.GA11295-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-04 9:14 ` James Bottomley
2012-11-04 9:14 ` James Bottomley
2012-11-04 13:52 ` Matthew Garrett
[not found] ` <20121104135251.GA17894-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-05 6:14 ` Eric W. Biederman [this message]
2012-11-05 6:14 ` Eric W. Biederman
[not found] ` <87d2zsmv8r.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 7:12 ` H. Peter Anvin
2012-11-05 7:12 ` H. Peter Anvin
[not found] ` <509766DB.9090906-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2012-11-05 7:24 ` Eric W. Biederman
2012-11-05 7:24 ` Eric W. Biederman
[not found] ` <87625kh5r2.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 8:50 ` Eric W. Biederman
[not found] ` <87k3u0cu1k.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 12:38 ` Matthew Garrett
2012-11-05 12:38 ` Matthew Garrett
[not found] ` <20121105123858.GB4374-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-05 13:44 ` Alan Cox
2012-11-05 13:44 ` Alan Cox
[not found] ` <20121105134436.08993fd6-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 19:16 ` Eric W. Biederman
2012-11-05 19:16 ` Eric W. Biederman
[not found] ` <87sj8nc137.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-05 20:25 ` Matthew Garrett
2012-11-05 20:25 ` Matthew Garrett
2012-11-06 2:46 ` Eric W. Biederman
[not found] ` <87hap3zbw7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:36 ` Eric W. Biederman
2012-11-06 3:53 ` Matthew Garrett
[not found] ` <20121106035352.GA24698-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:34 ` Matthew Garrett
2012-11-06 7:56 ` Florian Weimer
2012-11-06 7:56 ` Florian Weimer
[not found] ` <878vafqi5q.fsf-ZqZwdwZz9NfTBotR3TxKnbNAH6kLmebB@public.gmane.org>
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:19 ` Jiri Kosina
[not found] ` <50992946.4060101-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org>
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:55 ` Matthew Garrett
2012-11-06 22:06 ` Florian Weimer
[not found] ` <87fw4mv11b.fsf-ZqZwdwZz9NfTBotR3TxKnbNAH6kLmebB@public.gmane.org>
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:49 ` Alan Cox
2012-11-06 22:47 ` Matthew Garrett
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A@mail.gmail.com>
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-07 14:55 ` Matthew Garrett
2012-11-07 14:55 ` Matthew Garrett
2012-11-08 10:18 ` James Courtier-Dutton
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A@mail.gmail.com>
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-08 11:19 ` Alan Cox
2012-11-08 11:19 ` Alan Cox
2012-11-06 9:12 ` Alan Cox
[not found] ` <20121106091217.4a5240f0-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 8:13 ` Valdis.Kletnieks
2012-11-05 8:20 ` James Bottomley
2012-11-05 8:20 ` James Bottomley
2012-11-05 12:36 ` Matthew Garrett
2012-11-05 12:36 ` Matthew Garrett
2012-11-04 11:53 ` Pavel Machek
2012-11-05 21:25 ` Florian Weimer
2012-11-02 14:55 ` Vivek Goyal
2012-11-01 10:12 ` Oliver Neukum
2012-11-01 10:12 ` Oliver Neukum
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 15:56 ` Matthew Garrett
[not found] ` <20121031155635.GA14294-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Shea Levy
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:10 ` Josh Boyer
2012-10-31 15:02 ` Matthew Garrett
2012-11-02 15:30 ` Vivek Goyal
2012-11-02 15:42 ` Matthew Garrett
[not found] ` <20121102154248.GA7681-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 16:22 ` Jiri Kosina
2012-11-02 18:30 ` Vivek Goyal
2012-11-02 16:35 ` Shuah Khan
[not found] ` <20121031150201.GA12394-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 15:05 ` Shea Levy
2012-10-31 15:05 ` Shea Levy
[not found] ` <50913E24.1010009-yfkUTty7RcRWk0Htik3J/w@public.gmane.org>
2012-10-31 15:09 ` Matthew Garrett
2012-10-31 15:09 ` Matthew Garrett
2012-11-06 12:51 ` Jiri Kosina
2012-11-06 12:51 ` Jiri Kosina
[not found] ` <alpine.LNX.2.00.1211061350100.24253-ztGlSCb7Y1iN3ZZ/Hiejyg@public.gmane.org>
2012-11-06 13:16 ` Matthew Garrett
2012-11-06 13:16 ` Matthew Garrett
[not found] ` <20121029174131.GC7580-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org>
2012-10-31 17:28 ` Takashi Iwai
2012-10-31 17:28 ` Takashi Iwai
[not found] ` <s5hobjia6vj.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:44 ` Alan Cox
2012-10-31 17:44 ` Matthew Garrett
2012-10-31 18:53 ` Takashi Iwai
2012-11-01 4:21 ` joeyli
2012-11-01 4:21 ` joeyli
[not found] ` <1351743715.21227.95.camel-ONCj+Eqt86TasUa73XJKwA@public.gmane.org>
2012-11-01 13:18 ` Alan Cox
2012-11-01 13:18 ` Alan Cox
[not found] ` <20121101131849.752df6fd-38n7/U1jhRXW96NNrWNlrekiAK3p4hvP@public.gmane.org>
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:18 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 1/4] scripts/sign-file: Allow specifying hash algorithm via -a option Takashi Iwai
2012-11-05 17:19 ` Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 2/4] scripts/sign-file: Support firmware signing Takashi Iwai
2012-11-05 17:20 ` [PATCH RFC 3/4] firmware: Add a signature check Takashi Iwai
2012-11-06 6:03 ` Mimi Zohar
2012-11-05 17:20 ` [PATCH RFC 4/4] firmware: Install signature files automatically Takashi Iwai
2012-11-05 18:12 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
[not found] ` <s5hhap49den.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-05 20:43 ` Josh Boyer
2012-11-05 20:43 ` Josh Boyer
2012-11-06 6:46 ` Takashi Iwai
2012-11-06 9:20 ` Alan Cox
2012-11-06 10:05 ` Takashi Iwai
2012-11-06 0:01 ` David Howells
2012-11-06 0:01 ` David Howells
2012-11-06 0:05 ` David Howells
[not found] ` <5839.1352160112-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 2:30 ` Ming Lei
2012-11-06 5:46 ` lee joey
[not found] ` <CACVXFVN8qPTgiYKXaeKFJXLXMjLE=+=8Vev2otD3v1VMk+Ez_w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:16 ` Ming Lei
2012-11-06 7:32 ` Takashi Iwai
[not found] ` <s5h4nl3i3u6.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:18 ` Takashi Iwai
2012-11-06 10:04 ` Ming Lei
2012-11-06 10:17 ` Takashi Iwai
2012-11-06 10:17 ` Takashi Iwai
[not found] ` <s5h4nl39gt9.wl%tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 11:03 ` Ming Lei
2012-11-06 11:15 ` Alan Cox
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ@mail.gmail.com>
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:30 ` Ming Lei
2012-11-08 17:35 ` [PATCH RFC v2 " Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 1/4] firmware: Add the firmware signing support to scripts/sign-file Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 2/4] firmware: Add -a option " Takashi Iwai
[not found] ` <1352396109-3989-3-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:51 ` joeyli
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 3/4] firmware: Add support for signature checks Takashi Iwai
[not found] ` <1352396109-3989-4-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:56 ` joeyli
2012-11-23 6:56 ` joeyli
2012-11-23 7:34 ` Takashi Iwai
2012-11-23 7:34 ` Takashi Iwai
[not found] ` <1352396109-3989-1-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-08 17:35 ` [PATCH RFC v2 4/4] firmware: Install firmware signature files automatically Takashi Iwai
2012-11-08 17:35 ` Takashi Iwai
[not found] ` <1352396109-3989-5-git-send-email-tiwai-l3A5Bk7waGM@public.gmane.org>
2012-11-23 6:52 ` joeyli
2012-11-23 6:52 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d2zsmv8r.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=alan-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=chris.friesen-b7o/lNNmKxtBDgjK7y7TUQ@public.gmane.org \
--cc=eparis-FjpueFixGhCM4zKIHC2jIg@public.gmane.org \
--cc=jkosina-AlSwsSmVLrQ@public.gmane.org \
--cc=jwboyer-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=mjg59-1xO5oi07KQx4cg9Nei1l7Q@public.gmane.org \
--cc=oneukum-l3A5Bk7waGM@public.gmane.org \
--cc=pavel-+ZI9xUNit7I@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.