All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Axtens <dja@axtens.net>
To: Michael Ellerman <mpe@ellerman.id.au>, linuxppc-dev@ozlabs.org
Cc: nayna@linux.ibm.com, oohall@gmail.com, joel@jms.id.au
Subject: Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
Date: Thu, 16 Jan 2020 16:00:32 +1100	[thread overview]
Message-ID: <871rs0knbj.fsf@dja-thinkpad.axtens.net> (raw)
In-Reply-To: <20200116014808.15756-7-mpe@ellerman.id.au>

Michael Ellerman <mpe@ellerman.id.au> writes:

> From: Joel Stanley <joel@jms.id.au>
>
> This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> FORTIFY_SOURCE.
>
> It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.
>

As I said before, this will disable xmon entirely. If we want to set
this, we should compile out xmon. But if we want xmon in read-only mode
to be an option, we should pick integrity mode.

I don't really mind, because I don't work with skiroot very
much. Oliver, Joel, Nayna, you all do stuff around this sort of level -
is this a problem for any of you?

Regards,
Daniel

> MODULE_SIG is selected by lockdown, so it is still enabled.
>
> Signed-off-by: Joel Stanley <joel@jms.id.au>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> ---
>  arch/powerpc/configs/skiroot_defconfig | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/configs/skiroot_defconfig b/arch/powerpc/configs/skiroot_defconfig
> index 24a210fe0049..bd661a9a9410 100644
> --- a/arch/powerpc/configs/skiroot_defconfig
> +++ b/arch/powerpc/configs/skiroot_defconfig
> @@ -49,7 +49,6 @@ CONFIG_JUMP_LABEL=y
>  CONFIG_STRICT_KERNEL_RWX=y
>  CONFIG_MODULES=y
>  CONFIG_MODULE_UNLOAD=y
> -CONFIG_MODULE_SIG=y
>  CONFIG_MODULE_SIG_FORCE=y
>  CONFIG_MODULE_SIG_SHA512=y
>  CONFIG_PARTITION_ADVANCED=y
> @@ -272,6 +271,16 @@ CONFIG_NLS_ASCII=y
>  CONFIG_NLS_ISO8859_1=y
>  CONFIG_NLS_UTF8=y
>  CONFIG_ENCRYPTED_KEYS=y
> +CONFIG_SECURITY=y
> +CONFIG_HARDENED_USERCOPY=y
> +# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
> +CONFIG_HARDENED_USERCOPY_PAGESPAN=y
> +CONFIG_FORTIFY_SOURCE=y
> +CONFIG_SECURITY_LOCKDOWN_LSM=y
> +CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
> +CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y
> +# CONFIG_INTEGRITY is not set
> +CONFIG_LSM="yama,loadpin,safesetid,integrity"
>  # CONFIG_CRYPTO_HW is not set
>  CONFIG_CRC16=y
>  CONFIG_CRC_ITU_T=y
> -- 
> 2.21.1

  reply	other threads:[~2020-01-16  5:04 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16  1:48 [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Michael Ellerman
2020-01-16  1:48 ` [PATCH 2/9] powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE Michael Ellerman
2020-01-16  1:54   ` Joel Stanley
2020-01-16  1:48 ` [PATCH 3/9] powerpc/configs: Drop NET_VENDOR_HP which moved to staging Michael Ellerman
2020-01-16  1:54   ` Joel Stanley
2020-01-16  1:48 ` [PATCH 4/9] powerpc/configs/skiroot: Drop HID_LOGITECH Michael Ellerman
2020-01-16  1:55   ` Joel Stanley
2020-01-16  1:48 ` [PATCH 5/9] powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV Michael Ellerman
2020-01-16  1:55   ` Joel Stanley
2020-01-16  1:48 ` [PATCH 6/9] powerpc/configs/skiroot: Update for symbol movement only Michael Ellerman
2020-01-16  1:52   ` Joel Stanley
2020-01-16  1:48 ` [PATCH 7/9] powerpc/configs/skiroot: Enable security features Michael Ellerman
2020-01-16  5:00   ` Daniel Axtens [this message]
2020-01-16  7:10     ` Oliver O'Halloran
2020-01-16  7:14       ` Joel Stanley
2020-01-16  1:48 ` [RFC PATCH 8/9] powerpc/configs/skiroot: Disable xmon default & enable reboot on panic Michael Ellerman
2020-01-16  1:53   ` Joel Stanley
2020-01-16  1:48 ` [RFC PATCH 9/9] powerpc/configs/skiroot: Enable some more hardening options Michael Ellerman
2020-01-16  1:51   ` Joel Stanley
2020-01-21  4:21     ` Michael Ellerman
2020-01-16  1:54 ` [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Joel Stanley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871rs0knbj.fsf@dja-thinkpad.axtens.net \
    --to=dja@axtens.net \
    --cc=joel@jms.id.au \
    --cc=linuxppc-dev@ozlabs.org \
    --cc=mpe@ellerman.id.au \
    --cc=nayna@linux.ibm.com \
    --cc=oohall@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.