From: Randy Dunlap <rdunlap@infradead.org>
To: David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org
Cc: gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org,
matthew.garrett@nebula.com, gregkh@linuxfoundation.org,
linux-kernel@vger.kernel.org, jforbes@redhat.com
Subject: Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown
Date: Thu, 19 Oct 2017 10:20:26 -0700 [thread overview]
Message-ID: <97659d0c-6992-3025-0f85-819d23e954cc@infradead.org> (raw)
In-Reply-To: <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk>
On 10/19/17 07:50, David Howells wrote:
> From: Kyle McMartin <kyle@redhat.com>
>
> Make an option to provide a sysrq key that will lift the kernel lockdown,
> thereby allowing the running kernel image to be accessed and modified.
>
> On x86_64 this is triggered with SysRq+x, but this key may not be available
> on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
>
> Signed-off-by: Kyle McMartin <kyle@redhat.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: x86@kernel.org
> ---
>
> arch/x86/include/asm/setup.h | 2 ++
> drivers/input/misc/uinput.c | 1 +
> drivers/tty/sysrq.c | 19 +++++++++++------
> include/linux/input.h | 5 ++++
> include/linux/sysrq.h | 8 ++++++-
> kernel/debug/kdb/kdb_main.c | 2 +-
> security/Kconfig | 15 +++++++++++++
> security/lock_down.c | 48 ++++++++++++++++++++++++++++++++++++++++++
> 8 files changed, 92 insertions(+), 8 deletions(-)
> diff --git a/security/Kconfig b/security/Kconfig
> index 8e01fd59ae7e..4be6be71e075 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL
> turns off various features that might otherwise allow access to the
> kernel image (eg. setting MSR registers).
>
> +config ALLOW_LOCKDOWN_LIFT
> + bool
> + help
> + Allow the lockdown on a kernel to be lifted, thereby restoring the
> + ability of userspace to access the kernel image (eg. by SysRq+x under
how about: on
> + x86).
> +
> +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
> + bool "Allow the kernel lockdown to be lifted by SysRq"
> + depends on MAGIC_SYSRQ
> + help
> + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
> + combination on a wired keyboard.
> +
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> diff --git a/security/lock_down.c b/security/lock_down.c
> index d8595c0e6673..f71118c340d2 100644
> --- a/security/lock_down.c
> +++ b/security/lock_down.c
> +
> +/*
> + * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
> + * echoing the appropriate letter into the sysrq-trigger file).
> + */
> +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY
is that the same as: CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ?
tested?
> +
> +static void sysrq_handle_lockdown_lift(int key)
> +{
> + if (kernel_locked_down)
> + lift_kernel_lockdown();
> +}
> +
> +static struct sysrq_key_op lockdown_lift_sysrq_op = {
> + .handler = sysrq_handle_lockdown_lift,
> + .help_msg = "unSB(x)",
> + .action_msg = "Disabling Secure Boot restrictions",
> + .enable_mask = SYSRQ_DISABLE_USERSPACE,
> +};
> +
> +static int __init lockdown_lift_sysrq(void)
> +{
> + if (kernel_locked_down) {
> + lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
> + register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
> + }
> + return 0;
> +}
> +
> +late_initcall(lockdown_lift_sysrq);
> +
> +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */
BY_SYSRQ
--
~Randy
WARNING: multiple messages have this Message-ID (diff)
From: Randy Dunlap <rdunlap-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
To: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
linux-security-module-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Cc: gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org,
linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
matthew.garrett-05XSO3Yj/JvQT0dZR+AlfA@public.gmane.org,
gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
jforbes-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org
Subject: Re: [PATCH 02/27] Add a SysRq option to lift kernel lockdown
Date: Thu, 19 Oct 2017 10:20:26 -0700 [thread overview]
Message-ID: <97659d0c-6992-3025-0f85-819d23e954cc@infradead.org> (raw)
In-Reply-To: <150842464774.7923.7951986297563109339.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
On 10/19/17 07:50, David Howells wrote:
> From: Kyle McMartin <kyle-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
>
> Make an option to provide a sysrq key that will lift the kernel lockdown,
> thereby allowing the running kernel image to be accessed and modified.
>
> On x86_64 this is triggered with SysRq+x, but this key may not be available
> on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
>
> Signed-off-by: Kyle McMartin <kyle-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> Signed-off-by: David Howells <dhowells-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> cc: x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org
> ---
>
> arch/x86/include/asm/setup.h | 2 ++
> drivers/input/misc/uinput.c | 1 +
> drivers/tty/sysrq.c | 19 +++++++++++------
> include/linux/input.h | 5 ++++
> include/linux/sysrq.h | 8 ++++++-
> kernel/debug/kdb/kdb_main.c | 2 +-
> security/Kconfig | 15 +++++++++++++
> security/lock_down.c | 48 ++++++++++++++++++++++++++++++++++++++++++
> 8 files changed, 92 insertions(+), 8 deletions(-)
> diff --git a/security/Kconfig b/security/Kconfig
> index 8e01fd59ae7e..4be6be71e075 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL
> turns off various features that might otherwise allow access to the
> kernel image (eg. setting MSR registers).
>
> +config ALLOW_LOCKDOWN_LIFT
> + bool
> + help
> + Allow the lockdown on a kernel to be lifted, thereby restoring the
> + ability of userspace to access the kernel image (eg. by SysRq+x under
how about: on
> + x86).
> +
> +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
> + bool "Allow the kernel lockdown to be lifted by SysRq"
> + depends on MAGIC_SYSRQ
> + help
> + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
> + combination on a wired keyboard.
> +
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> diff --git a/security/lock_down.c b/security/lock_down.c
> index d8595c0e6673..f71118c340d2 100644
> --- a/security/lock_down.c
> +++ b/security/lock_down.c
> +
> +/*
> + * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
> + * echoing the appropriate letter into the sysrq-trigger file).
> + */
> +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY
is that the same as: CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ?
tested?
> +
> +static void sysrq_handle_lockdown_lift(int key)
> +{
> + if (kernel_locked_down)
> + lift_kernel_lockdown();
> +}
> +
> +static struct sysrq_key_op lockdown_lift_sysrq_op = {
> + .handler = sysrq_handle_lockdown_lift,
> + .help_msg = "unSB(x)",
> + .action_msg = "Disabling Secure Boot restrictions",
> + .enable_mask = SYSRQ_DISABLE_USERSPACE,
> +};
> +
> +static int __init lockdown_lift_sysrq(void)
> +{
> + if (kernel_locked_down) {
> + lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
> + register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
> + }
> + return 0;
> +}
> +
> +late_initcall(lockdown_lift_sysrq);
> +
> +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */
BY_SYSRQ
--
~Randy
WARNING: multiple messages have this Message-ID (diff)
From: rdunlap@infradead.org (Randy Dunlap)
To: linux-security-module@vger.kernel.org
Subject: [PATCH 02/27] Add a SysRq option to lift kernel lockdown
Date: Thu, 19 Oct 2017 10:20:26 -0700 [thread overview]
Message-ID: <97659d0c-6992-3025-0f85-819d23e954cc@infradead.org> (raw)
In-Reply-To: <150842464774.7923.7951986297563109339.stgit@warthog.procyon.org.uk>
On 10/19/17 07:50, David Howells wrote:
> From: Kyle McMartin <kyle@redhat.com>
>
> Make an option to provide a sysrq key that will lift the kernel lockdown,
> thereby allowing the running kernel image to be accessed and modified.
>
> On x86_64 this is triggered with SysRq+x, but this key may not be available
> on all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h.
>
> Signed-off-by: Kyle McMartin <kyle@redhat.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: x86 at kernel.org
> ---
>
> arch/x86/include/asm/setup.h | 2 ++
> drivers/input/misc/uinput.c | 1 +
> drivers/tty/sysrq.c | 19 +++++++++++------
> include/linux/input.h | 5 ++++
> include/linux/sysrq.h | 8 ++++++-
> kernel/debug/kdb/kdb_main.c | 2 +-
> security/Kconfig | 15 +++++++++++++
> security/lock_down.c | 48 ++++++++++++++++++++++++++++++++++++++++++
> 8 files changed, 92 insertions(+), 8 deletions(-)
> diff --git a/security/Kconfig b/security/Kconfig
> index 8e01fd59ae7e..4be6be71e075 100644
> --- a/security/Kconfig
> +++ b/security/Kconfig
> @@ -213,6 +213,21 @@ config LOCK_DOWN_KERNEL
> turns off various features that might otherwise allow access to the
> kernel image (eg. setting MSR registers).
>
> +config ALLOW_LOCKDOWN_LIFT
> + bool
> + help
> + Allow the lockdown on a kernel to be lifted, thereby restoring the
> + ability of userspace to access the kernel image (eg. by SysRq+x under
how about: on
> + x86).
> +
> +config ALLOW_LOCKDOWN_LIFT_BY_SYSRQ
> + bool "Allow the kernel lockdown to be lifted by SysRq"
> + depends on MAGIC_SYSRQ
> + help
> + Allow the lockdown on a kernel to be lifted, by pressing a SysRq key
> + combination on a wired keyboard.
> +
> +
> source security/selinux/Kconfig
> source security/smack/Kconfig
> source security/tomoyo/Kconfig
> diff --git a/security/lock_down.c b/security/lock_down.c
> index d8595c0e6673..f71118c340d2 100644
> --- a/security/lock_down.c
> +++ b/security/lock_down.c
> +
> +/*
> + * Allow lockdown to be lifted by pressing something like SysRq+x (and not by
> + * echoing the appropriate letter into the sysrq-trigger file).
> + */
> +#ifdef CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY
is that the same as: CONFIG_ALLOW_LOCKDOWN_LIFT_BY_SYSRQ ?
tested?
> +
> +static void sysrq_handle_lockdown_lift(int key)
> +{
> + if (kernel_locked_down)
> + lift_kernel_lockdown();
> +}
> +
> +static struct sysrq_key_op lockdown_lift_sysrq_op = {
> + .handler = sysrq_handle_lockdown_lift,
> + .help_msg = "unSB(x)",
> + .action_msg = "Disabling Secure Boot restrictions",
> + .enable_mask = SYSRQ_DISABLE_USERSPACE,
> +};
> +
> +static int __init lockdown_lift_sysrq(void)
> +{
> + if (kernel_locked_down) {
> + lockdown_lift_sysrq_op.help_msg[5] = LOCKDOWN_LIFT_KEY;
> + register_sysrq_key(LOCKDOWN_LIFT_KEY, &lockdown_lift_sysrq_op);
> + }
> + return 0;
> +}
> +
> +late_initcall(lockdown_lift_sysrq);
> +
> +#endif /* CONFIG_ALLOW_LOCKDOWN_LIFT_BY_KEY */
BY_SYSRQ
--
~Randy
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-10-19 17:20 UTC|newest]
Thread overview: 367+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-19 14:50 [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-19 14:50 ` David Howells
2017-10-19 14:50 ` David Howells
2017-10-19 14:50 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image David Howells
2017-10-19 14:50 ` David Howells
2017-10-20 23:19 ` James Morris
2017-10-20 23:19 ` James Morris
2017-10-19 14:50 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown David Howells
2017-10-19 14:50 ` David Howells
2017-10-19 17:20 ` Randy Dunlap [this message]
2017-10-19 17:20 ` Randy Dunlap
2017-10-19 17:20 ` Randy Dunlap
2017-10-19 22:12 ` David Howells
2017-10-19 22:12 ` David Howells
2017-10-19 22:12 ` David Howells
2017-11-07 17:39 ` Thiago Jung Bauermann
2017-11-07 17:39 ` Thiago Jung Bauermann
2017-11-07 22:56 ` David Howells
2017-11-07 22:56 ` David Howells
2017-10-19 14:50 ` [PATCH 03/27] Enforce module signatures if the kernel is locked down David Howells
2017-10-19 14:50 ` David Howells
2017-10-20 6:33 ` joeyli
2017-10-20 6:33 ` joeyli
2017-10-20 6:33 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-20 23:21 ` James Morris
2017-10-27 18:48 ` Mimi Zohar
2017-10-27 18:48 ` Mimi Zohar
2017-10-30 17:00 ` David Howells
2017-10-30 17:00 ` David Howells
2017-10-30 17:52 ` Mimi Zohar
2017-10-30 17:52 ` Mimi Zohar
2017-11-02 17:22 ` David Howells
2017-11-02 17:22 ` David Howells
2017-11-02 17:22 ` David Howells
2017-11-02 19:13 ` Mimi Zohar
2017-11-02 19:13 ` Mimi Zohar
2017-11-02 21:30 ` David Howells
2017-11-02 21:30 ` David Howells
2017-11-02 21:30 ` David Howells
2017-11-02 21:41 ` Mimi Zohar
2017-11-02 21:41 ` Mimi Zohar
2017-11-02 21:41 ` Mimi Zohar
2017-11-02 22:01 ` David Howells
2017-11-02 22:01 ` David Howells
2017-11-02 22:01 ` David Howells
2017-11-02 22:18 ` Mimi Zohar
2017-11-02 22:18 ` Mimi Zohar
2017-10-19 14:51 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when " David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:37 ` joeyli
2017-10-20 6:37 ` joeyli
2017-10-20 23:21 ` James Morris
2017-10-20 23:21 ` James Morris
2017-10-19 14:51 ` [PATCH 05/27] kexec: Disable at runtime if " David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:38 ` joeyli
2017-10-20 6:38 ` joeyli
2017-10-20 23:22 ` James Morris
2017-10-20 23:22 ` James Morris
2017-10-19 14:51 ` [PATCH 06/27] Copy secure_boot flag in boot params across kexec reboot David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:40 ` joeyli
2017-10-20 6:40 ` joeyli
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 23:26 ` James Morris
2017-10-20 23:26 ` James Morris
2017-10-23 15:54 ` Mimi Zohar
2017-10-23 15:54 ` Mimi Zohar
2017-10-23 15:54 ` Mimi Zohar
2017-10-26 7:42 ` joeyli
2017-10-26 7:42 ` joeyli
2017-10-26 14:17 ` Mimi Zohar
2017-10-26 14:17 ` Mimi Zohar
2017-10-27 19:30 ` Mimi Zohar
2017-10-27 19:30 ` Mimi Zohar
2017-10-27 19:32 ` Mimi Zohar
2017-10-27 19:32 ` Mimi Zohar
2017-10-27 19:32 ` Mimi Zohar
2017-10-28 8:34 ` joeyli
2017-10-28 8:34 ` joeyli
2017-10-29 22:26 ` Mimi Zohar
2017-10-29 22:26 ` Mimi Zohar
2017-10-29 22:26 ` Mimi Zohar
2017-10-30 9:00 ` David Howells
2017-10-30 9:00 ` David Howells
2017-10-30 12:01 ` Mimi Zohar
2017-10-30 12:01 ` Mimi Zohar
2017-10-26 15:02 ` David Howells
2017-10-26 15:02 ` David Howells
2017-10-26 15:46 ` Mimi Zohar
2017-10-26 15:46 ` Mimi Zohar
2017-10-26 15:46 ` Mimi Zohar
2017-10-30 15:49 ` David Howells
2017-10-30 15:49 ` David Howells
2017-10-30 16:43 ` Mimi Zohar
2017-10-30 16:43 ` Mimi Zohar
2017-10-30 16:43 ` Mimi Zohar
2017-11-02 17:00 ` David Howells
2017-11-02 17:00 ` David Howells
2017-10-26 14:51 ` David Howells
2017-10-26 14:51 ` David Howells
2017-10-26 14:51 ` David Howells
2017-11-02 17:29 ` David Howells
2017-11-02 17:29 ` David Howells
2017-11-02 17:29 ` David Howells
2017-10-19 14:51 ` [PATCH 08/27] hibernate: Disable when the kernel is locked down David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:40 ` joeyli
2017-10-20 6:40 ` joeyli
2017-10-20 6:40 ` joeyli
2017-10-19 14:51 ` [PATCH 09/27] uswsusp: " David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:41 ` joeyli
2017-10-20 6:41 ` joeyli
2017-10-20 23:29 ` James Morris
2017-10-20 23:29 ` James Morris
2017-10-20 23:29 ` James Morris
2017-10-19 14:51 ` [PATCH 10/27] PCI: Lock down BAR access " David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:42 ` joeyli
2017-10-20 6:42 ` joeyli
2017-10-20 6:42 ` joeyli
2017-10-19 14:51 ` [PATCH 11/27] x86: Lock down IO port " David Howells
2017-10-19 14:51 ` David Howells
2017-10-20 6:43 ` joeyli
2017-10-20 6:43 ` joeyli
2017-10-19 14:52 ` [PATCH 12/27] x86/msr: Restrict MSR " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:43 ` joeyli
2017-10-20 6:43 ` joeyli
2017-10-20 18:09 ` Alan Cox
2017-10-20 18:09 ` Alan Cox
2017-10-20 20:48 ` David Howells
2017-10-20 20:48 ` David Howells
2017-10-20 20:48 ` David Howells
2017-10-21 4:39 ` joeyli
2017-10-21 4:39 ` joeyli
2017-10-23 14:49 ` David Howells
2017-10-23 14:49 ` David Howells
2017-10-23 14:49 ` David Howells
2017-10-25 14:03 ` joeyli
2017-10-25 14:03 ` joeyli
2017-10-19 14:52 ` [PATCH 13/27] asus-wmi: Restrict debugfs interface " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:44 ` joeyli
2017-10-20 6:44 ` joeyli
2017-10-19 14:52 ` [PATCH 14/27] ACPI: Limit access to custom_method " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:45 ` joeyli
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 15/27] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:45 ` joeyli
2017-10-20 6:45 ` joeyli
2017-10-19 14:52 ` [PATCH 16/27] acpi: Disable ACPI table override if the kernel is " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:46 ` joeyli
2017-10-20 6:46 ` joeyli
2017-10-20 6:46 ` joeyli
2017-10-19 14:52 ` [PATCH 17/27] acpi: Disable APEI error injection " David Howells
2017-10-19 14:52 ` David Howells
2017-10-20 6:47 ` joeyli
2017-10-20 6:47 ` joeyli
2017-10-20 6:47 ` joeyli
2017-10-19 14:52 ` [PATCH 18/27] bpf: Restrict kernel image access functions when " David Howells
2017-10-19 14:52 ` David Howells
2017-10-19 22:18 ` Alexei Starovoitov
2017-10-19 22:18 ` Alexei Starovoitov
2017-10-20 2:47 ` joeyli
2017-10-20 2:47 ` joeyli
2017-10-20 8:08 ` David Howells
2017-10-20 8:08 ` David Howells
2017-10-20 15:57 ` jlee
2017-10-20 15:57 ` jlee at suse.com
2017-10-20 23:00 ` Alexei Starovoitov
2017-10-23 14:51 ` David Howells
2017-10-20 16:03 ` David Howells
2017-10-20 16:03 ` David Howells
2017-10-20 16:03 ` David Howells
2017-10-20 16:43 ` jlee
2017-10-20 16:43 ` jlee at suse.com
2017-10-23 14:53 ` David Howells
2017-10-23 14:53 ` David Howells
2017-10-25 7:07 ` joeyli
2017-10-25 7:07 ` joeyli
2017-10-25 7:07 ` joeyli
2017-10-19 22:48 ` David Howells
2017-10-19 22:48 ` David Howells
2017-10-19 23:31 ` Alexei Starovoitov
2017-10-19 23:31 ` Alexei Starovoitov
2017-10-19 23:31 ` Alexei Starovoitov
2017-11-09 17:15 ` David Howells
2017-11-09 17:15 ` David Howells
2017-10-19 14:52 ` [PATCH 19/27] scsi: Lock down the eata driver David Howells
2017-10-19 14:52 ` David Howells
2017-10-19 14:53 ` [PATCH 20/27] Prohibit PCMCIA CIS storage when the kernel is locked down David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 14:53 ` [PATCH 21/27] Lock down TIOCSSERIAL David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 14:53 ` [PATCH 22/27] Lock down module params that specify hardware parameters (eg. ioport) David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 14:53 ` [PATCH 23/27] x86/mmiotrace: Lock down the testmmiotrace module David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 14:53 ` [PATCH 24/27] debugfs: Disallow use of debugfs files when the kernel is locked down David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 14:53 ` [PATCH 25/27] Lock down /proc/kcore David Howells
2017-10-19 14:53 ` David Howells
2017-10-21 2:11 ` James Morris
2017-10-21 2:11 ` James Morris
2017-10-23 14:56 ` David Howells
2017-10-23 14:56 ` David Howells
2017-10-19 14:53 ` [PATCH 26/27] efi: Add an EFI_SECURE_BOOT flag to indicate secure boot mode David Howells
2017-10-19 14:53 ` David Howells
2017-10-21 2:19 ` James Morris
2017-10-21 2:19 ` James Morris
2017-10-21 2:19 ` James Morris
2017-10-23 14:58 ` David Howells
2017-10-23 14:58 ` David Howells
2017-10-19 14:53 ` [PATCH 27/27] efi: Lock down the kernel if booted in " David Howells
2017-10-19 14:53 ` David Howells
2017-10-19 22:39 ` [PATCH 00/27] security, efi: Add kernel lockdown David Howells
2017-10-19 22:39 ` David Howells
2017-10-19 22:39 ` David Howells
2017-10-23 14:34 ` [PATCH 04/27] Restrict /dev/mem and /dev/kmem when the kernel is locked down David Howells
2017-10-23 14:34 ` David Howells
2017-10-23 14:34 ` David Howells
2017-10-24 10:48 ` Ethan Zhao
2017-10-24 10:48 ` Ethan Zhao
2017-10-24 10:48 ` Ethan Zhao
2017-10-24 14:56 ` David Howells
2017-10-24 14:56 ` David Howells
2017-11-02 22:01 ` [PATCH 00/27] security, efi: Add kernel lockdown Mimi Zohar
2017-11-02 22:01 ` Mimi Zohar
2017-11-02 22:04 ` Firmware signing -- " David Howells
2017-11-02 22:04 ` David Howells
2017-11-02 22:04 ` David Howells
2017-11-02 22:10 ` Mimi Zohar
2017-11-02 22:10 ` Mimi Zohar
2017-11-07 23:07 ` Luis R. Rodriguez
2017-11-07 23:07 ` Luis R. Rodriguez
2017-11-07 23:07 ` Luis R. Rodriguez
2017-11-08 6:15 ` AKASHI, Takahiro
2017-11-08 6:15 ` AKASHI, Takahiro
2017-11-08 6:15 ` AKASHI, Takahiro
2017-11-08 19:46 ` Luis R. Rodriguez
2017-11-08 19:46 ` Luis R. Rodriguez
2017-11-08 19:46 ` Luis R. Rodriguez
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 1:48 ` AKASHI, Takahiro
2017-11-09 2:17 ` Mimi Zohar
2017-11-09 2:17 ` Mimi Zohar
2017-11-09 4:46 ` AKASHI, Takahiro
2017-11-09 4:46 ` AKASHI, Takahiro
2017-11-10 13:37 ` Mimi Zohar
2017-11-10 13:37 ` Mimi Zohar
2017-11-11 2:32 ` Alan Cox
2017-11-11 2:32 ` Alan Cox
2017-11-11 2:32 ` Alan Cox
2017-11-13 11:49 ` Mimi Zohar
2017-11-13 11:49 ` Mimi Zohar
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 17:42 ` Luis R. Rodriguez
2017-11-13 21:08 ` Alan Cox
2017-11-13 21:08 ` Alan Cox
2017-12-04 19:51 ` Luis R. Rodriguez
2017-12-04 19:51 ` Luis R. Rodriguez
2017-12-04 19:51 ` Luis R. Rodriguez
2017-12-07 15:32 ` Alan Cox
2017-12-07 15:32 ` Alan Cox
2017-12-07 15:32 ` Alan Cox
2017-11-13 21:44 ` David Howells
2017-11-13 21:44 ` David Howells
2017-11-13 22:09 ` Linus Torvalds
2017-11-13 22:09 ` Linus Torvalds
2017-11-13 22:09 ` Linus Torvalds
2017-11-14 0:20 ` Alan Cox
2017-11-14 0:20 ` Alan Cox
2017-11-14 0:20 ` Alan Cox
2017-11-14 12:21 ` Mimi Zohar
2017-11-14 12:21 ` Mimi Zohar
2017-11-14 12:38 ` Greg Kroah-Hartman
2017-11-14 12:38 ` Greg Kroah-Hartman
2017-11-14 13:17 ` Mimi Zohar
2017-11-14 13:17 ` Mimi Zohar
2017-11-14 13:17 ` Mimi Zohar
2017-11-14 17:34 ` Linus Torvalds
2017-11-14 17:34 ` Linus Torvalds
2017-11-14 17:34 ` Linus Torvalds
2017-11-14 19:58 ` Matthew Garrett
2017-11-14 19:58 ` Matthew Garrett
2017-11-14 19:58 ` Matthew Garrett
2017-11-14 20:18 ` Linus Torvalds
2017-11-14 20:18 ` Linus Torvalds
2017-11-14 20:18 ` Linus Torvalds
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:31 ` Matthew Garrett
2017-11-14 20:35 ` Linus Torvalds
2017-11-14 20:35 ` Linus Torvalds
2017-11-14 20:37 ` Matthew Garrett
2017-11-14 20:37 ` Matthew Garrett
2017-11-14 20:37 ` Matthew Garrett
2017-11-14 20:50 ` Luis R. Rodriguez
2017-11-14 20:50 ` Luis R. Rodriguez
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 20:55 ` Matthew Garrett
2017-11-14 22:14 ` James Bottomley
2017-11-14 22:14 ` James Bottomley
2017-11-14 22:17 ` Matthew Garrett
2017-11-14 22:17 ` Matthew Garrett
2017-11-14 22:17 ` Matthew Garrett
2017-11-14 22:31 ` James Bottomley
2017-11-14 22:31 ` James Bottomley
2017-11-14 22:31 ` James Bottomley
2017-11-14 22:34 ` Matthew Garrett
2017-11-14 22:34 ` Matthew Garrett
2017-11-14 22:34 ` Matthew Garrett
2017-11-15 11:49 ` Mimi Zohar
2017-11-15 11:49 ` Mimi Zohar
2017-11-15 11:49 ` Mimi Zohar
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 17:52 ` Luis R. Rodriguez
2017-11-15 19:56 ` Mimi Zohar
2017-11-15 19:56 ` Mimi Zohar
2017-11-15 20:46 ` Luis R. Rodriguez
2017-11-15 20:46 ` Luis R. Rodriguez
2017-11-16 0:05 ` Mimi Zohar
2017-11-16 0:05 ` Mimi Zohar
2017-12-05 10:27 ` Pavel Machek
2017-12-05 10:27 ` Pavel Machek
2017-12-07 23:02 ` Luis R. Rodriguez
2017-12-07 23:02 ` Luis R. Rodriguez
2017-12-07 23:02 ` Luis R. Rodriguez
2017-12-08 17:11 ` Alan Cox
2017-12-08 17:11 ` Alan Cox
2017-12-08 17:11 ` Alan Cox
2017-11-10 1:46 ` Luis R. Rodriguez
2017-11-10 1:46 ` Luis R. Rodriguez
2017-11-10 1:46 ` Luis R. Rodriguez
2017-11-10 13:45 ` Mimi Zohar
2017-11-10 13:45 ` Mimi Zohar
2017-11-10 13:45 ` Mimi Zohar
2017-11-13 18:50 ` Luis R. Rodriguez
2017-11-13 18:50 ` Luis R. Rodriguez
2017-11-13 18:50 ` Luis R. Rodriguez
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-13 19:08 ` Luis R. Rodriguez
2017-11-08 20:01 ` Mimi Zohar
2017-11-08 20:01 ` Mimi Zohar
2017-11-08 20:09 ` Luis R. Rodriguez
2017-11-08 20:09 ` Luis R. Rodriguez
2019-02-28 21:28 [PULL REQUEST] Lock down patches Matthew Garrett
2019-02-28 22:44 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 22:44 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:10 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:10 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:11 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:11 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-02-28 23:11 ` [PATCH 01/27] Add the ability to lock down access to the running kernel image Matthew Garrett
2019-02-28 23:11 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-03-06 23:58 [PULL REQUEST] Kernel lockdown patches for 5.2 Matthew Garrett
2019-03-06 23:58 ` [PATCH 02/27] Add a SysRq option to lift kernel lockdown Matthew Garrett
2019-03-07 0:09 ` Randy Dunlap
2019-03-07 0:12 ` Matthew Garrett
2019-03-07 15:59 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=97659d0c-6992-3025-0f85-819d23e954cc@infradead.org \
--to=rdunlap@infradead.org \
--cc=dhowells@redhat.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jforbes@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthew.garrett@nebula.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.