From: Matthew Garrett <mjg59@google.com>
To: Justin Forbes <jforbes@redhat.com>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
LSM List <linux-security-module@vger.kernel.org>,
linux-efi <linux-efi@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
David Howells <dhowells@redhat.com>,
Seth Forshee <seth.forshee@canonical.com>,
kexec@lists.infradead.org, Nayna Jain <nayna@linux.ibm.com>
Subject: Re: [PATCH 3/3] x86/ima: retry detecting secure boot mode
Date: Thu, 7 Mar 2019 14:44:55 -0800 [thread overview]
Message-ID: <CACdnJuuHmK0qKjMxxonRYDUCatxqs930QGNQmREhRjimpNKzYw@mail.gmail.com> (raw)
In-Reply-To: <CAFbkSA39RwB+E4SaG_ueu-_B=y7JytEYKw1+eXNQ_eCuMfnv=g@mail.gmail.com>
On Thu, Mar 7, 2019 at 2:38 PM Justin Forbes <jforbes@redhat.com> wrote:
> On Thu, Mar 7, 2019 at 4:29 PM Matthew Garrett <mjg59@google.com> wrote:
>>
>> On Mon, Nov 19, 2018 at 11:57 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>> >
>> > The secure boot mode may not be detected on boot for some reason (eg.
>> > buggy firmware). This patch attempts one more time to detect the
>> > secure boot mode.
>>
>> Do we have cases where this has actually been seen? I'm not sure what
>> the circumstances are that would result in this behaviour.
>
>
> We have never seen it in practice, though we only ever do anything with it with x86, so it is possible that some other platforms maybe?
I'm not sure that it buys us anything to check this in both the boot
stub and the running kernel. If a platform *is* giving us different
results, anything else relying on the information from the boot stub
is also going to be broken, so we should do this centrally rather than
in the IMA code.
next prev parent reply other threads:[~2019-03-07 22:45 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-19 19:56 [PATCH 0/3] selftest/ima: fail kexec_load syscall Mimi Zohar
2018-11-19 19:56 ` [PATCH 1/3] ima: add error mesage to kexec_load Mimi Zohar
2018-11-19 19:56 ` [PATCH 2/3] selftests/ima: kexec_load syscall test Mimi Zohar
2018-11-19 19:56 ` [PATCH 3/3] x86/ima: retry detecting secure boot mode Mimi Zohar
2019-03-07 22:28 ` Matthew Garrett
[not found] ` <CAFbkSA39RwB+E4SaG_ueu-_B=y7JytEYKw1+eXNQ_eCuMfnv=g@mail.gmail.com>
2019-03-07 22:44 ` Matthew Garrett [this message]
2019-03-07 22:48 ` Mimi Zohar
2019-03-07 22:50 ` Matthew Garrett
2019-03-08 13:39 ` Mimi Zohar
2019-03-08 17:51 ` Matthew Garrett
2019-03-08 18:43 ` Mimi Zohar
2019-03-08 20:22 ` Matthew Garrett
2019-03-11 16:54 ` Mimi Zohar
2019-03-11 19:20 ` Matthew Garrett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACdnJuuHmK0qKjMxxonRYDUCatxqs930QGNQmREhRjimpNKzYw@mail.gmail.com \
--to=mjg59@google.com \
--cc=dhowells@redhat.com \
--cc=jforbes@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=seth.forshee@canonical.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).