From: David Howells <dhowells@redhat.com>
To: James Morris <jmorris@namei.org>
Cc: dhowells@redhat.com, linux-kernel@vger.kernel.org,
gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org
Subject: Re: [PATCH 02/24] Add the ability to lock down access to the running kernel image
Date: Thu, 06 Apr 2017 11:43:20 +0100 [thread overview]
Message-ID: <32240.1491475400@warthog.procyon.org.uk> (raw)
In-Reply-To: <alpine.LRH.2.20.1704061840090.12226@namei.org>
James Morris <jmorris@namei.org> wrote:
> > +static __read_mostly bool kernel_locked_down;
>
> How about marking this __ro_after_init if ALLOW_LOCKDOWN_LIFT is not
> configured?
I guess lock_kernel_down() would need to be __init also in that case.
Also, the implementation of lift_kernel_lockdown() should be conditional on
CONFIG_ALLOW_LOCKDOWN_LIFT.
David
next prev parent reply other threads:[~2017-04-06 10:43 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-05 17:09 [PATCH 00/24] Kernel lockdown David Howells
2017-04-05 17:10 ` [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit David Howells
2017-04-05 17:10 ` [PATCH 02/24] Add the ability to lock down access to the running kernel image David Howells
[not found] ` <149141221365.31282.16276273075946694481.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-04-06 8:44 ` James Morris
2017-04-06 10:43 ` David Howells [this message]
[not found] ` <32240.1491475400-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-04-06 21:55 ` James Morris
[not found] ` <149141219387.31282.6648284836568938717.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-04-05 17:10 ` [PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode David Howells
2017-04-05 17:10 ` [PATCH 04/24] Enforce module signatures if the kernel is locked down David Howells
2017-04-05 17:11 ` [PATCH 10/24] hibernate: Disable when " David Howells
2017-04-05 17:12 ` [PATCH 16/24] ACPI: Limit access to custom_method " David Howells
2017-04-05 17:12 ` [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-04-05 19:57 ` [PATCH 00/24] Kernel lockdown David Howells
2017-04-06 8:25 ` James Morris
2017-04-05 17:10 ` [PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
2017-04-05 17:10 ` [PATCH 06/24] Add a sysrq option to exit secure boot mode David Howells
2017-04-05 17:10 ` [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down David Howells
2017-04-05 17:11 ` [PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-04-05 17:11 ` [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-04-05 17:11 ` [PATCH 11/24] uswsusp: Disable when the kernel is locked down David Howells
2017-04-05 17:11 ` [PATCH 12/24] PCI: Lock down BAR access " David Howells
2017-04-05 17:11 ` [PATCH 13/24] x86: Lock down IO port " David Howells
2017-04-05 17:12 ` [PATCH 14/24] x86: Restrict MSR " David Howells
[not found] ` <149141232449.31282.15045536717220570492.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-04-05 17:34 ` Kees Cook
2017-04-05 17:12 ` [PATCH 15/24] asus-wmi: Restrict debugfs interface " David Howells
2017-04-05 17:12 ` [PATCH 18/24] acpi: Disable ACPI table override if " David Howells
2017-04-05 17:12 ` [PATCH 19/24] acpi: Disable APEI error injection " David Howells
[not found] ` <alpine.LRH.2.20.1704061823520.12226-gx6/JNMH7DfYtjvyW6yDsg@public.gmane.org>
2017-04-06 8:37 ` [PATCH 00/24] Kernel lockdown David Howells
-- strict thread matches above, loose matches on Subject: below --
2017-04-05 20:14 David Howells
[not found] ` <149142326734.5101.4596394505987813763.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2017-04-05 20:14 ` [PATCH 02/24] Add the ability to lock down access to the running kernel image David Howells
2017-04-05 17:07 [PATCH 00/24] Kernel lockdown David Howells
2017-04-05 17:07 ` [PATCH 02/24] Add the ability to lock down access to the running kernel image David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32240.1491475400@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox