Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image

[PATCH 00/24] security: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Miguel Ojeda <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Greg KH <gregkh@linuxfoundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Jordan Glover <hidden> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-11
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Justin Forbes <hidden> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Linus Torvalds <torvalds@linux-foundation.org> · 2018-04-12
Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image · Andy Lutomirski <luto@amacapital.net> · 2018-04-12
[PATCH 02/24] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Jann Horn <jannh@google.com> · 2018-04-11
Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown · Pavel Machek <hidden> · 2018-04-13
[PATCH 03/24] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 05/24] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 06/24] kexec_load: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-22
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Rafael J. Wysocki <hidden> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2018-04-26
Re: [PATCH 07/24] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2018-05-23
[PATCH 08/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 09/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 10/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 11/24] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 12/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 13/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 14/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 15/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 16/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 17/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 18/24] Lock down module params that specify hardware parameters (eg. ioport) · Randy Dunlap <hidden> · 2018-04-11
[PATCH 19/24] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 20/24] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 21/24] Lock down kprobes · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 22/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 23/24] Lock down perf · David Howells <dhowells@redhat.com> · 2018-04-11
[PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Randy Dunlap <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-11
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Greg KH <hidden> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Andy Lutomirski <luto@kernel.org> · 2018-04-12
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-04-13
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-04-19
Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down · Pavel Machek <hidden> · 2018-05-10

From: Linus Torvalds <torvalds@linux-foundation.org>
Date: 2018-04-12 16:53:00
Also in: linux-man, linux-security-module, lkml

On Thu, Apr 12, 2018 at 6:09 AM, Justin Forbes [off-list ref] wrote:

On Wed, Apr 11, 2018, 5:38 PM Linus Torvalds
[off-list ref] wrote:

quoted

So it's really the whole claim that distributions have been running
for this for the last five years that I wonder about, and how often
people end up being told: "just disable secure boot":.

Very rarely in my experience.

Good. Do you have a handle on the reasons?

Because I'm assuming it's not /dev/{mem,kmem,port}? Because I'd really
be happier if we just say "those are legacy, don't enable them at all
for modern distros".

That way they'd _stay_ disabled even if somebody cannot handle the
other limitations, like DMA etc.

                 Linus

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help