[PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down

[PATCH 00/30] security, efi: Add kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 01/30] Add the ability to lock down access to the running kernel image · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 02/30] Add a SysRq option to lift kernel lockdown · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 03/30] ima: require secure_boot rules in lockdown mode · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 04/30] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 04/30] Enforce module signatures if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 04/30] Enforce module signatures if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
[PATCH 05/30] Restrict /dev/{mem, kmem, port} when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 06/30] kexec: Disable at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 07/30] Copy secure_boot flag in boot params across kexec reboot · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
[PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-01-16
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-16
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-01-17
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Jiri Bohac <hidden> · 2018-01-19
Re: [PATCH 08a/30] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · David Howells <dhowells@redhat.com> · 2018-02-21
[PATCH 08b/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-01-11
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-01-17
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · David Howells <dhowells@redhat.com> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down · Jiri Bohac <hidden> · 2018-02-22
[PATCH 09/30] hibernate: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 10/30] uswsusp: Disable when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 11/30] PCI: Lock down BAR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 12/30] x86: Lock down IO port access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 13/30] x86/msr: Restrict MSR access when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 14/30] asus-wmi: Restrict debugfs interface when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 15/30] ACPI: Limit access to custom_method when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 16/30] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 17/30] acpi: Disable ACPI table override if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · Joey Lee <JLee@suse.com> · 2019-11-07
Re: [PATCH 18/30] acpi: Disable APEI error injection if the kernel is locked down · joeyli <jlee@suse.com> · 2022-05-28
[PATCH 19/30] scsi: Lock down the eata driver · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 20/30] Prohibit PCMCIA CIS storage when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 21/30] Lock down TIOCSSERIAL · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 22/30] Lock down module params that specify hardware parameters (eg. ioport) · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 23/30] x86/mmiotrace: Lock down the testmmiotrace module · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 24/30] debugfs: Disallow use of debugfs files when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 25/30] Lock down /proc/kcore · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · Jiri Kosina <jikos@kernel.org> · 2017-11-10
Re: [PATCH 26/30] Lock down ftrace · David Howells <dhowells@redhat.com> · 2017-11-10
[PATCH 27/30] Lock down kprobes · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 28/30] bpf: Restrict kernel image access functions when the kernel is locked down · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 29/30] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode · David Howells <dhowells@redhat.com> · 2017-11-09
[PATCH 30/30] efi: Lock down the kernel if booted in secure boot mode · David Howells <dhowells@redhat.com> · 2017-11-09
Re: [PATCH 00/30] security, efi: Add kernel lockdown · Andrew Morton <akpm@linux-foundation.org> · 2018-03-03

From: Jiri Bohac <hidden>
Date: 2018-02-22 19:08:19
Also in: lkml

On Thu, Feb 22, 2018 at 02:20:43PM +0000, David Howells wrote:

commit 87a39b258eca2e15884ee90c3fcd5758d6057b17
Author: David Howells [off-list ref]
Date:   Thu Feb 22 13:42:04 2018 +0000

    kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE
    
    This is a preparatory patch for kexec_file_load() lockdown.  A locked down
    kernel needs to prevent unsigned kernel images to be loaded with

s/to be loaded/from being loaded/
(my own mistake :-))

Otherwise looks good. Thanks for improving my idea.

Reviewed-by: Jiri Bohac <redacted>

-- 
Jiri Bohac [off-list ref]
SUSE Labs, Prague, Czechia

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help