Hi Matt, Sorry for bother you! I didn't see this Matthew's patchset merged in EFI git tree. Do you have plan to merge it? Or those patches need wait different subsystem leaders merge. Thanks a lot! Joey Lee 於 四,2012-09-20 於 10:40 -0400,Matthew Garrett 提到: > Secure boot adds certain policy requirements, including that root must not > be able to do anything that could cause the kernel to execute arbitrary code. > The simplest way to handle this would seem to be to add a new capability > and gate various functionality on that. We'll then strip it from the initial > capability set if required. > > Signed-off-by: Matthew Garrett <mjg@xxxxxxxxxx> > --- > include/linux/capability.h | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/include/linux/capability.h b/include/linux/capability.h > index d10b7ed..4345bc8 100644 > --- a/include/linux/capability.h > +++ b/include/linux/capability.h > @@ -364,7 +364,11 @@ struct cpu_vfs_cap_data { > > #define CAP_BLOCK_SUSPEND 36 > > -#define CAP_LAST_CAP CAP_BLOCK_SUSPEND > +/* Allow things that trivially permit root to modify the running kernel */ > + > +#define CAP_COMPROMISE_KERNEL 37 > + > +#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL > > #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) > -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html