[PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures

[PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-05-29
[PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 1/8] security: define new LSM hook named security_kernel_load_data · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
[PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 2/8] kexec: add call to LSM hook in original kexec_load syscall · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
[PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [PATCH v4 5/8] ima: based on policy require signed firmware (sysfs fallback) · Mimi Zohar <hidden> · 2018-06-01
[PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 4/8] firmware: add call to LSM hook before firmware sysfs fallback · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
[PATCH v4 6/8] ima: add build time policy · Mimi Zohar <hidden> · 2018-05-29
[RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Mimi Zohar <hidden> · 2018-05-29
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-01
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Kees Cook <hidden> · 2018-06-05
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · Ard Biesheuvel <hidden> · 2018-06-06
Re: [RFC PATCH v4 7/8] ima: based on policy prevent loading firmware (pre-allocated buffer) · "Luis R. Rodriguez" <mcgrof@kernel.org> · 2018-06-06
[PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-05-30
[PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-31
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Paul Moore <paul@paul-moore.com> · 2018-06-01
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Jessica Yu <jeyu@kernel.org> · 2018-06-04
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4a 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-06-05
Re: [PATCH v4 8/8] module: replace the existing LSM hook in init_module · Mimi Zohar <hidden> · 2018-05-29
[PATCH v4 3/8] ima: based on policy require signed kexec kernel images · Mimi Zohar <hidden> · 2018-05-29
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-04
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · "Serge E. Hallyn" <serge@hallyn.com> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Kees Cook <hidden> · 2018-06-05
Re: [PATCH v4 0/8] kexec/firmware: support system wide policy requiring signatures · Mimi Zohar <hidden> · 2018-06-05

From: Kees Cook <hidden>
Date: 2018-06-05 13:43:34
Also in: kexec, linux-integrity, lkml

On Tue, Jun 5, 2018 at 6:25 AM, Serge E. Hallyn [off-list ref] wrote:

Quoting Kees Cook (keescook at chromium.org):

quoted

On Mon, Jun 4, 2018 at 9:09 PM, Serge E. Hallyn [off-list ref] wrote:

quoted

Personally I agree with Eric and prefer a new hook.  I don't feel strongly
enough about it to keep bikeshedding, but since this set already exists,
it seems like the way to go.

And the new hook is "load stuff without a file descriptor"?

Yes.  Load stuff based on my own credentials not those attached
to a file.

Okay, I can live with that. :)

-- 
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help