Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: David Howells <dhowells@xxxxxxxxxx>
Date: Fri, 07 Apr 2017 10:17:18 +0100
Cc: dhowells@xxxxxxxxxx, Dave Young <dyoung@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Matthew Garrett <mjg59@xxxxxxxxxxxxx>, linux-efi@xxxxxxxxxxxxxxx, gnomes@xxxxxxxxxxxxxxxxxxx, Chun-Yi Lee <jlee@xxxxxxxx>, gregkh@xxxxxxxxxxxxxxxxxxx, kexec@xxxxxxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, keyrings@xxxxxxxxxxxxxxx, matthew.garrett@xxxxxxxxxx
Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 2CF5CC05974C
In-reply-to: <1491551180.4184.50.camel@linux.vnet.ibm.com>
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > Okay, fair enough.  I can stick in an OR with an IS_ENABLED on some IMA
> > symbol.  CONFIG_IMA_KEXEC maybe?  And also require IMA be enabled?
> 
> Not quite, since as Dave pointed out, IMA is policy driven.  As a
> policy is installed, we could set a flag.

Does such a flag exist as yet?

David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Follow-Ups:
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar

References:
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar
- [PATCH 00/24] Kernel lockdown
  - From: David Howells
- [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Dave Young
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells

Prev by Date: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Next by Date: Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down
Previous by thread: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Next by thread: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Index(es):
- Date
- Thread

[Index of Archives] [Linux ARM Kernel] [Linux ARM] [Linux Omap] [Fedora ARM] [IETF Annouce] [Security] [Bugtraq] [Linux OMAP] [Linux MIPS] [ECOS] [Asterisk Internet PBX] [Linux API]