[PATCH 3/5] Add the ability to lock down access to the running kernel image

[PATCH 0/5] security, efi: Set lockdown if in secure boot mode · David Howells <dhowells@redhat.com> · 2017-05-24
[PATCH 1/5] efi: Move the x86 secure boot switch to generic code · David Howells <dhowells@redhat.com> · 2017-05-24
Re: [PATCH 1/5] efi: Move the x86 secure boot switch to generic code · joeyli <jlee@suse.com> · 2017-05-26
[PATCH 2/5] efi: Add EFI_SECURE_BOOT bit · David Howells <dhowells@redhat.com> · 2017-05-24
Re: [PATCH 2/5] efi: Add EFI_SECURE_BOOT bit · joeyli <jlee@suse.com> · 2017-05-26
[PATCH 3/5] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-05-24
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · Casey Schaufler <casey@schaufler-ca.com> · 2017-05-24
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-05-25
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · Casey Schaufler <casey@schaufler-ca.com> · 2017-05-25
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-05-26
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · joeyli <jlee@suse.com> · 2017-05-26
Re: [PATCH 3/5] Add the ability to lock down access to the running kernel image · joeyli <jlee@suse.com> · 2017-05-26
[PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-05-24
Re: [PATCH 4/5] efi: Lock down the kernel if booted in secure boot mode · joeyli <jlee@suse.com> · 2017-05-26
[PATCH 5/5] Add a sysrq option to exit secure boot mode · David Howells <dhowells@redhat.com> · 2017-05-24
Re: [PATCH 5/5] Add a sysrq option to exit secure boot mode · joeyli <jlee@suse.com> · 2017-05-27
Re: [PATCH 5/5] Add a sysrq option to exit secure boot mode · James Morris <jmorris@namei.org> · 2017-05-30
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · Ard Biesheuvel <hidden> · 2017-05-30
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · David Howells <dhowells@redhat.com> · 2017-05-31
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · Ard Biesheuvel <hidden> · 2017-05-31
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · David Howells <dhowells@redhat.com> · 2017-05-31
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · Ard Biesheuvel <hidden> · 2017-05-31
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · David Howells <dhowells@redhat.com> · 2017-06-06
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · Ard Biesheuvel <hidden> · 2017-06-09
Re: [PATCH 0/5] security, efi: Set lockdown if in secure boot mode · Kees Cook <hidden> · 2017-06-09

From: dhowells@redhat.com (David Howells)
Date: 2017-05-26 12:43:19
Also in: linux-efi, lkml

Casey Schaufler [off-list ref] wrote:

You called out five distinct features in 0/5, so how about
a bit for each of those?

Actually, there are more than five in that list - there are three in the first
item - and I'm not sure the remaining categories are quite as well defined as
I made it seem.

Also, that sort of categorisation might not be what we actually need: it might
end up coming down to a no-write vs no-read-or-write split instead.

Actually, I don't care which way you go. The current code works
for me. I am just concerned that the granularity fiends might come
around later.

In that case, I'll leave it as is for the moment.  It doesn't introduce so
many calls that they're impossible to change.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help