From: Dan Carpenter <dan.carpenter@oracle.com>
To: Matthew Garrett <matthew.garrett@nebula.com>
Cc: linux-security-module@vger.kernel.org, james.l.morris@oracle.com,
serge@hallyn.com, linux-kernel@vger.kernel.org,
keescook@chromium.org, hpa@zytor.com, gnomes@lxorguk.ukuu.org.uk
Subject: Re: [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode
Date: Wed, 22 Apr 2015 14:36:54 +0300 [thread overview]
Message-ID: <20150422113654.GA12986@mwanda> (raw)
In-Reply-To: <1426282708-21485-13-git-send-email-matthew.garrett@nebula.com>
On Fri, Mar 13, 2015 at 11:38:28AM -1000, Matthew Garrett wrote:
> UEFI Secure Boot provides a mechanism for ensuring that the firmware will
> only load signed bootloaders and kernels. Certain use cases may also
> require that the kernel prevent userspace from inserting untrusted kernel
> code at runtime. Add a configuration option that enforces this automatically
> when enabled.
>
> Signed-off-by: Matthew Garrett <matthew.garrett@nebula.com>
> ---
> Documentation/x86/zero-page.txt | 2 ++
> arch/x86/Kconfig | 13 +++++++++++++
> arch/x86/boot/compressed/eboot.c | 33 +++++++++++++++++++++++++++++++++
> arch/x86/include/uapi/asm/bootparam.h | 3 ++-
> arch/x86/kernel/setup.c | 6 ++++++
> 5 files changed, 56 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt
> index 82fbdbc..a811210 100644
> --- a/Documentation/x86/zero-page.txt
> +++ b/Documentation/x86/zero-page.txt
> @@ -30,6 +30,8 @@ Offset Proto Name Meaning
> 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below)
> 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer
> (below)
> +1EB/001 ALL kbd_status Numlock is enabled
This line looks like it was included by mistake?
> +1EC/001 ALL secure_boot Secure boot is enabled in the firmware
regards,
dan carpenter
next prev parent reply other threads:[~2015-04-22 11:37 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 21:38 Trusted kernel patchset Matthew Garrett
2015-03-13 21:38 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2015-03-13 21:38 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2015-03-13 21:38 ` [PATCH 03/12] PCI: Lock down register access when trusted_kernel is true Matthew Garrett
2015-03-13 21:38 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2015-03-13 21:38 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2015-03-13 21:38 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2015-03-13 21:38 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2015-03-13 21:38 ` [PATCH 08/12] kexec: Disable loading of unverified images Matthew Garrett
2015-03-13 21:38 ` [PATCH 09/12] uswsusp: Disable when trusted_kernel is true Matthew Garrett
2015-03-16 21:36 ` Kees Cook
2015-03-16 21:40 ` Matthew Garrett
2015-03-13 21:38 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2015-03-13 21:38 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2015-03-13 21:38 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2015-04-22 11:36 ` Dan Carpenter [this message]
2015-03-15 1:53 ` Trusted kernel patchset Matthew Garrett
2015-03-16 14:45 ` One Thousand Gnomes
2015-03-16 18:15 ` Matthew Garrett
2015-03-16 20:07 ` One Thousand Gnomes
2015-03-16 20:35 ` David Lang
2015-03-16 20:57 ` One Thousand Gnomes
2015-03-16 21:11 ` Matthew Garrett
2015-03-16 21:29 ` Kees Cook
2015-03-17 17:48 ` One Thousand Gnomes
2015-03-17 20:22 ` Simon McVittie
2015-03-17 20:42 ` Matthew Garrett
2015-03-18 11:34 ` Simon McVittie
2015-03-16 21:54 ` Jiri Kosina
2015-03-18 13:24 ` joeyli
-- strict thread matches above, loose matches on Subject: below --
2014-02-26 20:11 Trusted kernel patchset for Secure Boot lockdown Matthew Garrett
2014-02-26 20:11 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2014-02-26 22:41 ` One Thousand Gnomes
2014-02-26 22:47 ` H. Peter Anvin
2014-02-26 22:48 ` Matthew Garrett
2014-02-27 18:48 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150422113654.GA12986@mwanda \
--to=dan.carpenter@oracle.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=hpa@zytor.com \
--cc=james.l.morris@oracle.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox