Re: [PULL REQUEST] Lock down patches

[PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-01
Re: [PULL REQUEST] Lock down patches · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 01/27] Add the ability to lock down access to the running kernel image · Matthew Garrett <hidden> · 2019-02-28
[PATCH 02/27] Add a SysRq option to lift kernel lockdown · Matthew Garrett <hidden> · 2019-02-28
[PATCH 03/27] Enforce module signatures if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 04/27] Restrict /dev/{mem,kmem,port} when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 07/27] kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE · Matthew Garrett <hidden> · 2019-02-28
[PATCH 09/27] hibernate: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
Re: [PATCH 09/27] hibernate: Disable when the kernel is locked down · Pavel Machek <hidden> · 2019-03-19
[PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
Re: [PATCH 08/27] kexec_file: Restrict at runtime if the kernel is locked down · Mimi Zohar <zohar@linux.ibm.com> · 2019-03-01
[PATCH 11/27] PCI: Lock down BAR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 12/27] x86: Lock down IO port access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 13/27] x86/msr: Restrict MSR access when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 14/27] ACPI: Limit access to custom_method when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 17/27] acpi: Disable APEI error injection if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 18/27] Prohibit PCMCIA CIS storage when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 19/27] Lock down TIOCSSERIAL · Matthew Garrett <hidden> · 2019-02-28
[PATCH 22/27] Lock down /proc/kcore · Matthew Garrett <hidden> · 2019-02-28
[PATCH 23/27] Lock down kprobes · Matthew Garrett <hidden> · 2019-02-28
[PATCH 25/27] Lock down perf · Matthew Garrett <hidden> · 2019-02-28
[PATCH 26/27] debugfs: Restrict debugfs when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 27/27] lockdown: Print current->comm in restriction messages · Matthew Garrett <hidden> · 2019-02-28
[PATCH 24/27] bpf: Restrict kernel image access functions when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 20/27] Lock down module params that specify hardware parameters (eg. ioport) · Matthew Garrett <hidden> · 2019-02-28
[PATCH 21/27] x86/mmiotrace: Lock down the testmmiotrace module · Matthew Garrett <hidden> · 2019-02-28
[PATCH 16/27] acpi: Disable ACPI table override if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 10/27] uswsusp: Disable when the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 05/27] kexec_load: Disable at runtime if the kernel is locked down · Matthew Garrett <hidden> · 2019-02-28
[PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot · Matthew Garrett <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Randy Dunlap <hidden> · 2019-02-28
Re: [PULL REQUEST] Lock down patches · Matthew Garrett <hidden> · 2019-03-04

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2019-03-01 01:44:35
Also in: lkml

On Thu, 2019-02-28 at 17:01 -0800, Matthew Garrett wrote:

quoted

That's not a valid reason for preventing systems that do use IMA for
verifying the kexec kernel image signature or kernel module signatures
from enabling "lock down".  This just means that there needs to be
some coordination between the different signature verification
methods. [1][2]

I agree, but the current form of the integration makes it impossible
for anyone using an IMA-enabled kernel (but not using IMA) to do
anything unless they have IMA signatures. It's a problem we need to
solve, I just don't think it's a problem we need to solve before
merging the patchset.

That's simply not true.  Have you even looked at the IMA architecture
patches?

fcf338449af5 x86/ima: require signed kernel modules
d958083a8f64 x86/ima: define arch_get_ima_policy() for x86

Mimi

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help