Re: [PATCH 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions

linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Geert Uytterhoeven <geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org>
To: Matthew Garrett
	<matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
Cc: "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	Josh Boyer <jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Subject: Re: [PATCH 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions
Date: Sun, 1 Sep 2013 10:52:45 +0200	[thread overview]
Message-ID: <CAMuHMdVPAEQn8wmNnagPpy45OSSzvjX-LUDx8G8eWiOFh=4sSw@mail.gmail.com> (raw)
In-Reply-To: <1376928619-3775-8-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>

On Mon, Aug 19, 2013 at 6:10 PM, Matthew Garrett
<matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org> wrote:
> kexec permits the loading and execution of arbitrary code in ring 0, which
> is something that module signing enforcement is meant to prevent. It makes
> sense to disable kexec in this situation.

Any plans for signed kexec code?

Gr{oetje,eeting}s,

                        Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert-Td1EMuHUCqxL1ZNQvxDV9g@public.gmane.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

next prev parent reply	other threads:[~2013-09-01  8:52 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-19 16:10 [PATCH 01/10] Add secure_modules() call Matthew Garrett
2013-08-19 16:10 ` [PATCH 02/10] PCI: Lock down BAR access when module security is enabled Matthew Garrett
     [not found] ` <1376928619-3775-1-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-19 16:10   ` [PATCH 03/10] x86: Lock down IO port " Matthew Garrett
2013-08-19 16:10   ` [PATCH 04/10] ACPI: Limit access to custom_method Matthew Garrett
     [not found]     ` <1376928619-3775-4-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-29 17:58       ` Lenny Szubowicz
2013-08-19 16:10   ` [PATCH 10/10] Add option to automatically enforce module signatures when in Secure Boot mode Matthew Garrett
2013-08-19 16:10 ` [PATCH 05/10] asus-wmi: Restrict debugfs interface when module loading is restricted Matthew Garrett
     [not found]   ` <1376928619-3775-5-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-08-19 16:20     ` Kees Cook
     [not found]       ` <CAGXu5jJtvVx76ZZrk+s4KwopT-ocZcMbwWNM1ELxH4crm=QGLw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-19 17:15         ` Matthew Garrett
2013-08-29 18:22     ` H. Peter Anvin
2013-08-29 18:35       ` Matthew Garrett
2013-08-29 18:46         ` H. Peter Anvin
     [not found]           ` <521F9708.6040902-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2013-08-29 18:49             ` Matthew Garrett
2013-08-29 19:05               ` H. Peter Anvin
     [not found]                 ` <521F9B8B.6090300-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org>
2013-08-29 19:07                   ` Matthew Garrett
2013-08-29 19:28                   ` Josh Boyer
2013-08-19 16:10 ` [PATCH 06/10] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2013-08-19 16:10 ` [PATCH 07/10] acpi: Ignore acpi_rsdp kernel parameter " Matthew Garrett
2013-08-19 16:10 ` [PATCH 08/10] kexec: Disable at runtime if the kernel enforces module loading restrictions Matthew Garrett
     [not found]   ` <1376928619-3775-8-git-send-email-matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org>
2013-09-01  8:52     ` Geert Uytterhoeven [this message]
2013-08-19 16:10 ` [PATCH 09/10] x86: Restrict MSR access when module loading is restricted Matthew Garrett

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAMuHMdVPAEQn8wmNnagPpy45OSSzvjX-LUDx8G8eWiOFh=4sSw@mail.gmail.com' \
    --to=geert-td1emuhucqxl1znqvxdv9g@public.gmane.org \
    --cc=jwboyer-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org \
    --cc=linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).