Re: [PATCH] security: Do not restore kernel and initrd labels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2016-01-15 at 11:50 +0100, Jiri Denemark wrote:
> > > > but I'm wondering if the nvram and dtb lines before & after would
> > > > potentially suffer the same problem
> > > 
> > > Yeah, I was wondering about that too, but I wasn't quite sure whether
> > > they are similar or not.
> > 
> > Could Rich's test be tweaked some way in order to find out?
> 
> Well, it could, but the question is whether it would be correct usage
> :-)
> 
> And it seems nvram is actually different:
> 
>     /* This is different than kernel or initrd. The nvram store
>      * is really a disk, qemu can read and write to it. */
> 
> and we use imagelabel for nvram.
> 
> However, dtb (whatever that is used for) gets the same label we use for
> kernel/initrd so it looks like it could be similar. However, I have no
> idea what this beast is all about :-)

AFAICT the Device Tree (which is contained in the file pointed to by
the <dtb> element) is copied into the guest memory at startup and only
used by the kernel to collect information about the hardware, so it
should be safe to treat it the same way as kernel and initrd.

Cheers.

-- 
Andrea Bolognani
Software Engineer - Virtualization Team

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]