From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: Matthew Garrett <mjg59@srcf.ucam.org>,
linux-efi@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
gregkh@linuxfoundation.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, Chun-Yi Lee <jlee@suse.com>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
matthew.garrett@nebula.com, Dave Young <dyoung@redhat.com>
Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Date: Tue, 02 May 2017 15:01:22 -0400 [thread overview]
Message-ID: <1493751682.3680.11.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <13679.1491830392@warthog.procyon.org.uk>
Hi David,
On Mon, 2017-04-10 at 14:19 +0100, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > From an IMA perspective, either a file hash or signature are valid,
> > but for this usage it must be a signature.
>
> Not necessarily. If IMA can guarantee that a module is the same based on its
> hash rather than on a key, I would've thought that should be fine.
File hashes can be modified on the running system, so they're normally
used, in conjunction with EVM, to detect off line modification of
mutable files and prevent their usage.
These patches https://lkml.org/lkml/2017/5/2/465 should provide some
of the missing functionality.
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
prev parent reply other threads:[~2017-05-02 19:02 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk>
2017-04-05 20:15 ` [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down David Howells
2017-04-07 3:07 ` Dave Young
2017-04-05 20:15 ` [PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-04-05 20:15 ` [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-04-07 3:05 ` Dave Young
2017-04-07 3:49 ` Mimi Zohar
2017-04-07 6:19 ` Dave Young
2017-04-07 7:07 ` David Howells
2017-04-07 7:41 ` Dave Young
2017-04-07 8:28 ` Mimi Zohar
2017-04-07 8:42 ` Dave Young
2017-04-07 7:45 ` Mimi Zohar
2017-04-07 8:01 ` Dave Young
2017-04-07 7:09 ` David Howells
2017-04-07 7:46 ` Mimi Zohar
2017-04-07 9:17 ` David Howells
2017-04-07 12:36 ` Mimi Zohar
2017-04-10 13:19 ` David Howells
2017-05-02 19:01 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493751682.3680.11.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jlee@suse.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=mjg59@srcf.ucam.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox