public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Josh Boyer <jwboyer@fedoraproject.org>
Cc: Matthew Garrett <matthew.garrett@nebula.com>,
	"Linux-Kernel@Vger. Kernel. Org" <linux-kernel@vger.kernel.org>,
	Kees Cook <keescook@chromium.org>,
	"H. Peter Anvin" <hpa@zytor.com>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	James Morris <jmorris@namei.org>,
	linux-security-module <linux-security-module@vger.kernel.org>
Subject: Re: Trusted kernel patchset for Secure Boot lockdown
Date: Thu, 27 Feb 2014 11:07:10 -0800	[thread overview]
Message-ID: <20140227190710.GA4755@kroah.com> (raw)
In-Reply-To: <CA+5PVA4RSh3hzJxEjpzHPj8w3uPoEzfg7ySWjB=6RUhAKJTudQ@mail.gmail.com>

On Thu, Feb 27, 2014 at 01:04:34PM -0500, Josh Boyer wrote:
> On Wed, Feb 26, 2014 at 3:11 PM, Matthew Garrett
> <matthew.garrett@nebula.com> wrote:
> > The conclusion we came to at Plumbers was that this patchset was basically
> > fine but that Linus hated the name "securelevel" more than I hate pickled
> > herring, so after thinking about this for a few months I've come up with
> > "Trusted Kernel". This flag indicates that the kernel is, via some
> > external mechanism, trusted and should behave that way. If firmware has
> > some way to verify the kernel, it can pass that information on. If userspace
> > has some way to verify the kernel, it can set the flag itself. However,
> > userspace should not attempt to use the flag as a means to verify that the
> > kernel was trusted - untrusted userspace could have set it on an untrusted
> > kernel, but by the same metric an untrusted kernel could just set it itself.
> 
> FWIW, I've been running a kernel using this patchset in place of the
> patchset Fedora typically carries for this purpose for a bit.  Things
> appear to be working as expected and the protections remain the same.
> 
> It would be really nice to get this set of patches in so some of the
> other patches that depend on them can start being pushed as well.

What other patches depend on this series?  Why aren't they also in this
series?

thanks,

greg k-h

  reply	other threads:[~2014-02-27 19:05 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2014-02-27 19:02   ` Kees Cook
2014-03-31 14:49   ` Pavel Machek
2014-02-26 20:11 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2014-02-26 20:11 ` [PATCH 03/12] PCI: Lock down BAR access when trusted_kernel is true Matthew Garrett
2014-02-26 20:11 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2014-02-26 20:11 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2014-02-26 20:11 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2014-02-26 20:11 ` [PATCH 08/12] kexec: Disable at runtime if " Matthew Garrett
2014-02-26 20:11 ` [PATCH 09/12] uswsusp: Disable when " Matthew Garrett
2014-03-31 14:49   ` Pavel Machek
2014-02-26 20:11 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2014-02-26 20:11 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 22:41   ` One Thousand Gnomes
2014-02-26 22:47     ` H. Peter Anvin
2014-02-26 22:48     ` Matthew Garrett
2014-02-27 18:48       ` Kees Cook
2014-02-26 21:11 ` Trusted kernel patchset for Secure Boot lockdown Kees Cook
2014-02-26 22:21   ` One Thousand Gnomes
2014-03-19 17:42     ` Florian Weimer
2014-02-27 18:04 ` Josh Boyer
2014-02-27 19:07   ` Greg KH [this message]
2014-02-27 19:11     ` Josh Boyer
2014-02-28 12:50       ` Josh Boyer
2014-02-28  3:03   ` James Morris
2014-02-28  4:52     ` Matthew Garrett
2014-03-13  5:01     ` Matthew Garrett
2014-03-13  6:22       ` Kees Cook
2014-03-13  9:33         ` James Morris
2014-03-13 10:12           ` One Thousand Gnomes
2014-03-13 15:54             ` H. Peter Anvin
2014-03-13 15:59           ` Matthew Garrett
2014-03-13 21:24             ` One Thousand Gnomes
2014-03-13 21:28               ` H. Peter Anvin
2014-03-13 21:32                 ` Matthew Garrett
2014-03-13 21:30               ` Matthew Garrett
2014-03-13 23:21                 ` One Thousand Gnomes
2014-03-14  1:57                   ` Matthew Garrett
2014-03-14 12:22                     ` One Thousand Gnomes
2014-03-14 12:51                       ` Matthew Garrett
2014-03-14 15:23                         ` Kees Cook
2014-03-14 15:46                           ` Matthew Garrett
2014-03-14 15:54                             ` Kees Cook
2014-03-14 15:58                               ` Matthew Garrett
2014-03-14 16:28                           ` One Thousand Gnomes
2014-03-14 17:06                         ` One Thousand Gnomes
2014-03-14 18:11                           ` Matthew Garrett
2014-03-14 19:24                             ` Matthew Garrett
2014-03-14 20:37                               ` David Lang
2014-03-14 20:43                                 ` Matthew Garrett
2014-03-14 21:58                               ` One Thousand Gnomes
2014-03-14 22:04                                 ` Matthew Garrett
2014-03-14 21:48                             ` One Thousand Gnomes
2014-03-14 21:56                               ` Matthew Garrett
2014-03-14 22:08                                 ` One Thousand Gnomes
2014-03-14 22:15                                   ` Matthew Garrett
2014-03-14 22:31                                     ` One Thousand Gnomes
2014-03-14 22:52                                       ` Matthew Garrett
2014-03-19 19:50                                       ` Kees Cook
2014-03-14 23:18                                   ` Theodore Ts'o
2014-03-15  0:15                                     ` One Thousand Gnomes
2014-03-19 17:49                                     ` Florian Weimer
2014-03-19 20:16                                     ` Kees Cook
2014-03-20 14:47                                       ` One Thousand Gnomes
2014-03-20 14:55                                       ` tytso
2014-03-20 17:12                                         ` Matthew Garrett
2014-03-20 18:13                                           ` One Thousand Gnomes
2014-03-13 21:26             ` One Thousand Gnomes
2014-03-13 21:31               ` Matthew Garrett

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140227190710.GA4755@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=hpa@zytor.com \
    --cc=jmorris@namei.org \
    --cc=jwboyer@fedoraproject.org \
    --cc=keescook@chromium.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matthew.garrett@nebula.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox