[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[PATCH 00/24] Kernel lockdown · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · Ard Biesheuvel <hidden> · 2017-04-06
Re: [PATCH 01/24] efi: Add EFI_SECURE_BOOT bit · David Howells <dhowells@redhat.com> · 2017-04-06
[PATCH 02/24] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 03/24] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 05/24] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 06/24] Add a sysrq option to exit secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Thomas Gleixner <hidden> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Ard Biesheuvel <hidden> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · David Howells <dhowells@redhat.com> · 2017-04-14
Re: [PATCH 06/24] Add a sysrq option to exit secure boot mode · Matt Fleming <hidden> · 2017-04-16
[PATCH 08/24] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 07/24] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 07/24] kexec: Disable at runtime if the kernel is locked down · Dave Young <hidden> · 2017-04-07
[PATCH 10/24] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-05
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · Oliver Neukum <oneukum@suse.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · Jiri Kosina <jikos@kernel.org> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · poma <hidden> · 2017-04-08
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-04-12
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-06
Re: [PATCH 11/24] uswsusp: Disable when the kernel is locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
[PATCH 13/24] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 13/24] x86: Lock down IO port access when the kernel is locked down · Thomas Gleixner <hidden> · 2017-04-14
[PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 12/24] PCI: Lock down BAR access when the kernel is locked down · Bjorn Helgaas <helgaas@kernel.org> · 2017-04-18
[PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-07
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-09
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-10
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Andy Shevchenko <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-18
Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down · Ben Hutchings <hidden> · 2017-04-18
[PATCH 16/24] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 19/24] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-04-06
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · Ard Biesheuvel <hidden> · 2017-04-06
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-13
Re: [PATCH 20/24] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-04-12
[PATCH 21/24] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 23/24] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 22/24] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 24/24] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 18/24] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
[PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · "Rafael J. Wysocki" <rafael@kernel.org> · 2017-04-06
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Dave Young <hidden> · 2017-04-07
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 17/24] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Dave Young <hidden> · 2017-04-07
[PATCH 14/24] x86: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 14/24] x86: Restrict MSR access when the kernel is locked down · Thomas Gleixner <hidden> · 2017-04-14
[PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Dave Young <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-04-07
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-04-10
Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-05-02
[PATCH 04/24] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-04-05
Re: [PATCH 00/24] Kernel lockdown · Austin S. Hemmelgarn <hidden> · 2017-04-07
Re: [PATCH 00/24] Kernel lockdown · Justin Forbes <hidden> · 2017-04-07
Why kernel lockdown? · David Howells <dhowells@redhat.com> · 2017-04-10

From: dhowells@redhat.com (David Howells)
Date: 2017-04-10 13:20:02
Also in: kexec, linux-efi, lkml

Mimi Zohar [off-list ref] wrote:

From an IMA perspective, either a file hash or signature are valid,
but for this usage it must be a signature.

Not necessarily.  If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help