On Thu, Aug 16, 2018 at 8:36 AM, Laura Abbott <labbott@xxxxxxxxxx> wrote: > On 08/15/2018 07:10 PM, Alexei Starovoitov wrote: > >> On Tue, Aug 14, 2018 at 07:14:00AM -0700, Andrew Lutomirski wrote: >> >>> [Removed Fedora devel list because it's subscriber-only] >>> >>> On Aug 8, 2018, at 12:29 AM, Peter Robinson <pbrobinson@xxxxxxxxx> >>>> wrote: >>>> >>>> Probably a good idea to cc: this to the kernel list :-) >>>> >>>> I suspect it's intentional but with the planned changes for iptables >>>> etc to be backed by bpf in the upstream kernel sometime in the future >>>> it's likely going to need to be reviewed. >>>> >>>> >>> I thought this got covered in review. I think this part of lockdown >>> needs to get reverted or fixed ASAP. >>> >> >> I don't see lockdown in Linus's tree. Is this fedora only issue? >> >> > The entire lockdown/secure boot series is out of tree at the moment. > We're working to get it included. If you search LWN, you > can find some articles explaining the long saga of the patch series. > > (I definitely brought up multiple issues with the bpf lockdown stuff. >>> It's clearly extremely broken right now in the "new kernel breaks >>> *current* Linux distro" sense.) >>> >> >> +1 >> >> > Yes, we need to review what exactly is in Fedora. It's the merge > window so this is a good time to do that anyway. We're still > playing catch up after Flock in Dresden last week. Can you file > a bugzilla for tracking so we don't forget? > > I typically do a review after every major release before we rebase stable distributions. This is on my list of things to rectify in the next week. It really would be nice if we could get some of the agreed upon lockdown pieces upstream. I don't care if it is tied to secure boot, in fact it does make sense to have the capability outside of secure boot and it is much easier to carry a single patch to simply turn on lockdown based on UEFI secure boot than having to carry the entire lockdown series. Justin _______________________________________________ kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx/message/LXIV6L6U6XFHDLNXHSLM4M22RF2NFNM4/
