Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
From: David Howells <dhowells@xxxxxxxxxx>
Date: Mon, 10 Apr 2017 14:19:52 +0100
Cc: dhowells@xxxxxxxxxx, Dave Young <dyoung@xxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Matthew Garrett <mjg59@xxxxxxxxxxxxx>, linux-efi@xxxxxxxxxxxxxxx, gnomes@xxxxxxxxxxxxxxxxxxx, Chun-Yi Lee <jlee@xxxxxxxx>, gregkh@xxxxxxxxxxxxxxxxxxx, kexec@xxxxxxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, keyrings@xxxxxxxxxxxxxxx, matthew.garrett@xxxxxxxxxx
Dmarc-filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 547E8804FE
In-reply-to: <1491568577.4184.97.camel@linux.vnet.ibm.com>
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> From an IMA perspective, either a file hash or signature are valid,
> but for this usage it must be a signature.

Not necessarily.  If IMA can guarantee that a module is the same based on its
hash rather than on a key, I would've thought that should be fine.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Follow-Ups:
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar

References:
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Mimi Zohar
- [PATCH 00/24] Kernel lockdown
  - From: David Howells
- [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: Dave Young
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells
- Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
  - From: David Howells

Prev by Date: Re: [PATCH 15/24] asus-wmi: Restrict debugfs interface when the kernel is locked down
Next by Date: Re: [PATCH] efi/libstub: arm/arm64: don't use TASK_SIZE when randomising the RT space
Previous by thread: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Next by thread: Re: [PATCH 09/24] kexec_file: Disable at runtime if securelevel has been set
Index(es):
- Date
- Thread

[Index of Archives] [Linux ARM Kernel] [Linux ARM] [Linux Omap] [Fedora ARM] [IETF Annouce] [Security] [Bugtraq] [Linux OMAP] [Linux MIPS] [ECOS] [Asterisk Internet PBX] [Linux API]