From: Michael Ellerman <mpe@ellerman.id.au>
To: Luis Chamberlain <mcgrof@kernel.org>,
Michal Suchanek <msuchanek@suse.de>,
David Howells <dhowells@redhat.com>,
Aaron Tomlin <atomlin@redhat.com>
Cc: Nayna <nayna@linux.vnet.ibm.com>,
Mimi Zohar <zohar@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
David Howells <dhowells@redhat.com>,
keyrings@vger.kernel.org, Paul Mackerras <paulus@samba.org>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Rob Herring <robh@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Baoquan He <bhe@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
James Morris <jmorris@namei.org>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
"Serge E. Hallyn" <serge@hallyn.com>,
Vasily Gorbik <gor@linux.ibm.com>,
linux-s390@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Hari Bathini <hbathini@linux.ibm.com>,
Daniel Axtens <dja@axtens.net>, Philipp Rudo <prudo@redhat.com>,
Frank van der Linden <fllinden@amazon.com>,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
linux-integrity@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
"David S. Miller" <davem@davemloft.net>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
buendgen@de.ibm.com
Subject: Re: [PATCH v5 0/6] KEXEC_SIG with appended signature
Date: Wed, 09 Feb 2022 15:46:05 +1100 [thread overview]
Message-ID: <87pmnwlkaa.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <YfBd/EDGUx9UIHcb@bombadil.infradead.org>
Luis Chamberlain <mcgrof@kernel.org> writes:
> On Tue, Jan 11, 2022 at 12:37:42PM +0100, Michal Suchanek wrote:
>> Hello,
>>
>> This is a refresh of the KEXEC_SIG series.
>>
>> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
>> with appended signatures in the kernel.
>>
>> powerpc supports IMA_KEXEC but that's an exception rather than the norm.
>> On the other hand, KEXEC_SIG is portable across platforms.
>>
>> For distributions to have uniform security features across platforms one
>> option should be used on all platforms.
>>
>> Thanks
>>
>> Michal
>>
>> Previous revision: https://lore.kernel.org/linuxppc-dev/cover.1637862358.git.msuchanek@suse.de/
>> Patched kernel tree: https://github.com/hramrach/kernel/tree/kexec_sig
>>
>> Michal Suchanek (6):
>> s390/kexec_file: Don't opencode appended signature check.
>> powerpc/kexec_file: Add KEXEC_SIG support.
>> kexec_file: Don't opencode appended signature verification.
>> module: strip the signature marker in the verification function.
>> module: Use key_being_used_for for log messages in
>> verify_appended_signature
>> module: Move duplicate mod_check_sig users code to mod_parse_sig
>
> What tree should this go through? I'd prefer if over through modules
> tree as it can give a chance for Aaron Tomlin to work with this for his
> code refactoring of kernel/module*.c to kernel/module/
Yeah that's fine by me, the arch changes are pretty minimal and unlikely
to conflict much.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Luis Chamberlain <mcgrof@kernel.org>,
Michal Suchanek <msuchanek@suse.de>,
David Howells <dhowells@redhat.com>,
Aaron Tomlin <atomlin@redhat.com>
Cc: keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org,
Philipp Rudo <prudo@redhat.com>, Mimi Zohar <zohar@linux.ibm.com>,
Nayna <nayna@linux.vnet.ibm.com>, Rob Herring <robh@kernel.org>,
linux-s390@vger.kernel.org, Vasily Gorbik <gor@linux.ibm.com>,
Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
Heiko Carstens <hca@linux.ibm.com>, Jessica Yu <jeyu@kernel.org>,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Paul Mackerras <paulus@samba.org>,
Hari Bathini <hbathini@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org,
Frank van der Linden <fllinden@amazon.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
Daniel Axtens <dja@axtens.net>,
buendgen@de.ibm.com,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
Sven Schnelle <svens@linux.ibm.com>, Baoquan He <bhe@redhat.com>,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 0/6] KEXEC_SIG with appended signature
Date: Wed, 09 Feb 2022 15:46:05 +1100 [thread overview]
Message-ID: <87pmnwlkaa.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <YfBd/EDGUx9UIHcb@bombadil.infradead.org>
Luis Chamberlain <mcgrof@kernel.org> writes:
> On Tue, Jan 11, 2022 at 12:37:42PM +0100, Michal Suchanek wrote:
>> Hello,
>>
>> This is a refresh of the KEXEC_SIG series.
>>
>> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
>> with appended signatures in the kernel.
>>
>> powerpc supports IMA_KEXEC but that's an exception rather than the norm.
>> On the other hand, KEXEC_SIG is portable across platforms.
>>
>> For distributions to have uniform security features across platforms one
>> option should be used on all platforms.
>>
>> Thanks
>>
>> Michal
>>
>> Previous revision: https://lore.kernel.org/linuxppc-dev/cover.1637862358.git.msuchanek@suse.de/
>> Patched kernel tree: https://github.com/hramrach/kernel/tree/kexec_sig
>>
>> Michal Suchanek (6):
>> s390/kexec_file: Don't opencode appended signature check.
>> powerpc/kexec_file: Add KEXEC_SIG support.
>> kexec_file: Don't opencode appended signature verification.
>> module: strip the signature marker in the verification function.
>> module: Use key_being_used_for for log messages in
>> verify_appended_signature
>> module: Move duplicate mod_check_sig users code to mod_parse_sig
>
> What tree should this go through? I'd prefer if over through modules
> tree as it can give a chance for Aaron Tomlin to work with this for his
> code refactoring of kernel/module*.c to kernel/module/
Yeah that's fine by me, the arch changes are pretty minimal and unlikely
to conflict much.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: kexec@lists.infradead.org
Subject: [PATCH v5 0/6] KEXEC_SIG with appended signature
Date: Wed, 09 Feb 2022 15:46:05 +1100 [thread overview]
Message-ID: <87pmnwlkaa.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <YfBd/EDGUx9UIHcb@bombadil.infradead.org>
Luis Chamberlain <mcgrof@kernel.org> writes:
> On Tue, Jan 11, 2022 at 12:37:42PM +0100, Michal Suchanek wrote:
>> Hello,
>>
>> This is a refresh of the KEXEC_SIG series.
>>
>> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
>> with appended signatures in the kernel.
>>
>> powerpc supports IMA_KEXEC but that's an exception rather than the norm.
>> On the other hand, KEXEC_SIG is portable across platforms.
>>
>> For distributions to have uniform security features across platforms one
>> option should be used on all platforms.
>>
>> Thanks
>>
>> Michal
>>
>> Previous revision: https://lore.kernel.org/linuxppc-dev/cover.1637862358.git.msuchanek at suse.de/
>> Patched kernel tree: https://github.com/hramrach/kernel/tree/kexec_sig
>>
>> Michal Suchanek (6):
>> s390/kexec_file: Don't opencode appended signature check.
>> powerpc/kexec_file: Add KEXEC_SIG support.
>> kexec_file: Don't opencode appended signature verification.
>> module: strip the signature marker in the verification function.
>> module: Use key_being_used_for for log messages in
>> verify_appended_signature
>> module: Move duplicate mod_check_sig users code to mod_parse_sig
>
> What tree should this go through? I'd prefer if over through modules
> tree as it can give a chance for Aaron Tomlin to work with this for his
> code refactoring of kernel/module*.c to kernel/module/
Yeah that's fine by me, the arch changes are pretty minimal and unlikely
to conflict much.
cheers
next prev parent reply other threads:[~2022-02-09 4:46 UTC|newest]
Thread overview: 78+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 11:37 [PATCH v5 0/6] KEXEC_SIG with appended signature Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` [PATCH v5 1/6] s390/kexec_file: Don't opencode appended signature check Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` [PATCH v5 2/6] powerpc/kexec_file: Add KEXEC_SIG support Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-02-09 4:43 ` Michael Ellerman
2022-02-09 4:43 ` Michael Ellerman
2022-02-09 4:43 ` Michael Ellerman
2022-02-09 6:44 ` Paul Menzel
2022-02-09 6:44 ` Paul Menzel
2022-02-09 6:44 ` Paul Menzel
2022-02-09 12:01 ` Michal Suchánek
2022-02-09 12:01 ` Michal =?unknown-8bit?q?Such=C3=A1nek?=
2022-02-09 12:01 ` Michal Suchánek
2022-02-11 15:31 ` Paul Menzel
2022-02-11 15:31 ` Paul Menzel
2022-02-11 15:31 ` Paul Menzel
2022-02-13 17:50 ` Mimi Zohar
2022-02-13 17:50 ` Mimi Zohar
2022-02-13 17:50 ` Mimi Zohar
2022-02-14 2:59 ` Mimi Zohar
2022-02-14 2:59 ` Mimi Zohar
2022-02-14 2:59 ` Mimi Zohar
2022-02-14 15:14 ` Mimi Zohar
2022-02-14 15:14 ` Mimi Zohar
2022-02-14 15:14 ` Mimi Zohar
2022-02-14 15:55 ` Michal Suchánek
2022-02-14 15:55 ` Michal =?unknown-8bit?q?Such=C3=A1nek?=
2022-02-14 15:55 ` Michal Suchánek
2022-02-14 17:09 ` Mimi Zohar
2022-02-14 17:09 ` Mimi Zohar
2022-02-14 17:09 ` Mimi Zohar
2022-01-11 11:37 ` [PATCH v5 3/6] kexec_file: Don't opencode appended signature verification Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-25 20:15 ` Luis Chamberlain
2022-01-25 20:15 ` Luis Chamberlain
2022-01-25 20:15 ` Luis Chamberlain
2022-02-03 10:49 ` Michal Suchánek
2022-02-03 10:49 ` Michal =?unknown-8bit?q?Such=C3=A1nek?=
2022-02-03 10:49 ` Michal Suchánek
2022-01-11 11:37 ` [PATCH v5 4/6] module: strip the signature marker in the verification function Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-25 20:23 ` Luis Chamberlain
2022-01-25 20:23 ` Luis Chamberlain
2022-01-25 20:23 ` Luis Chamberlain
2022-01-11 11:37 ` [PATCH v5 5/6] module: Use key_being_used_for for log messages in verify_appended_signature Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-25 20:24 ` Luis Chamberlain
2022-01-25 20:24 ` Luis Chamberlain
2022-01-25 20:24 ` Luis Chamberlain
2022-01-11 11:37 ` [PATCH v5 6/6] module: Move duplicate mod_check_sig users code to mod_parse_sig Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-11 11:37 ` Michal Suchanek
2022-01-25 20:27 ` Luis Chamberlain
2022-01-25 20:27 ` Luis Chamberlain
2022-01-25 20:27 ` Luis Chamberlain
2022-01-25 20:30 ` [PATCH v5 0/6] KEXEC_SIG with appended signature Luis Chamberlain
2022-01-25 20:30 ` Luis Chamberlain
2022-01-25 20:30 ` Luis Chamberlain
2022-02-09 4:46 ` Michael Ellerman [this message]
2022-02-09 4:46 ` Michael Ellerman
2022-02-09 4:46 ` Michael Ellerman
2022-02-10 23:30 ` Luis Chamberlain
2022-02-10 23:30 ` Luis Chamberlain
2022-02-10 23:30 ` Luis Chamberlain
2022-02-13 18:53 ` Mimi Zohar
2022-02-13 18:53 ` Mimi Zohar
2022-02-13 18:53 ` Mimi Zohar
2022-02-13 20:27 ` Mimi Zohar
2022-02-13 20:27 ` Mimi Zohar
2022-02-13 20:27 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmnwlkaa.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=agordeev@linux.ibm.com \
--cc=atomlin@redhat.com \
--cc=bauerman@linux.ibm.com \
--cc=bhe@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=buendgen@de.ibm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dja@axtens.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=fllinden@amazon.com \
--cc=gor@linux.ibm.com \
--cc=hbathini@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mcgrof@kernel.org \
--cc=msuchanek@suse.de \
--cc=nayna@linux.vnet.ibm.com \
--cc=nramas@linux.microsoft.com \
--cc=paulus@samba.org \
--cc=prudo@redhat.com \
--cc=robh@kernel.org \
--cc=serge@hallyn.com \
--cc=svens@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.