Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown

[PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 01/27] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 01/27] Add the ability to lock down access to the running kernel image · James Morris <hidden> · 2017-10-20
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Randy Dunlap <hidden> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · Thiago Jung Bauermann <hidden> · 2017-11-07
Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-07
[PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 03/27] Enforce module signatures if the kernel is locked down · Mimi Zohar <hidden> · 2017-11-02
[PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · James Morris <hidden> · 2017-10-20
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · Ethan Zhao <hidden> · 2017-10-24
Re: [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-24
[PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 05/27] kexec: Disable at runtime if the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · James Morris <hidden> · 2017-10-20
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-23
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-27
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · joeyli <jlee@suse.com> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-29
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-28
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · Mimi Zohar <hidden> · 2017-10-30
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-10-26
Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set · David Howells <dhowells@redhat.com> · 2017-11-02
[PATCH 08/27] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 08/27] hibernate: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 09/27] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 09/27] uswsusp: Disable when the kernel is locked down · James Morris <hidden> · 2017-10-20
[PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 10/27] PCI: Lock down BAR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 11/27] x86: Lock down IO port access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · Alan Cox <hidden> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-21
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 12/27] x86/msr: Restrict MSR access when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 13/27] asus-wmi: Restrict debugfs interface when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
[PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · Alexei Starovoitov <hidden> · 2017-10-19
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · jlee@suse.com · 2017-10-20
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-23
Re: [PATCH 18/27] bpf: Restrict kernel image access functions when the kernel is locked down · joeyli <jlee@suse.com> · 2017-10-25
[PATCH 19/27] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 21/27] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-10-19
[PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 25/27] Lock down /proc/kcore · James Morris <hidden> · 2017-10-21
Re: [PATCH 25/27] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · James Morris <hidden> · 2017-10-21
Re: [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-23
[PATCH 27/27] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-10-19
Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-02
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · AKASHI, Takahiro <hidden> · 2017-11-09
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-11
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Greg Kroah-Hartman <gregkh@linuxfoundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Linus Torvalds <torvalds@linux-foundation.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · James Bottomley <James.Bottomley@HansenPartnership.com> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Matthew Garrett <hidden> · 2017-11-14
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-15
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-16
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-12-04
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Alan Cox <hidden> · 2017-12-07
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-10
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-13
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · Mimi Zohar <hidden> · 2017-11-08
Re: Firmware signing -- Re: [PATCH 00/27] security, efi: Add kernel lockdown · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2017-11-08

From: Alan Cox <hidden>
Date: 2017-12-07 15:33:00
Also in: linux-efi, lkml

I am curious though, is the above notion of having hardware require signed
firmware an implication brought down by UEFI? If so do you have any pointers
to where this is stipulated? Or is it just a best practice we assume some
manufacturers are implementing?

It's a mix of best practice and meeting the so called 'secure boot'
requirements. In the non Linux space exactly the same problems exist in
terms of trusting devices and firmware, building a root of trust and even
more so when producing 'hardened' platforms.

Some stuff isn't - USB devices for example don't get to pee on random
memory so often isn't signed.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help