From: Joel Stanley <joel@jms.id.au>
To: "Oliver O'Halloran" <oohall@gmail.com>
Cc: linuxppc-dev <linuxppc-dev@ozlabs.org>,
Nayna Jain <nayna@linux.ibm.com>, Daniel Axtens <dja@axtens.net>
Subject: Re: [PATCH 7/9] powerpc/configs/skiroot: Enable security features
Date: Thu, 16 Jan 2020 07:14:31 +0000 [thread overview]
Message-ID: <CACPK8XfBS8qRQ5fromLZXvQ-1EB_=yQvHYb8sWmG-B20ufW+SA@mail.gmail.com> (raw)
In-Reply-To: <CAOSf1CGnYqa7-QA-hK2OxymOQM8RS55xXq4cOvtou9nGfSWHgA@mail.gmail.com>
On Thu, 16 Jan 2020 at 07:10, Oliver O'Halloran <oohall@gmail.com> wrote:
>
> On Thu, Jan 16, 2020 at 4:00 PM Daniel Axtens <dja@axtens.net> wrote:
> >
> > Michael Ellerman <mpe@ellerman.id.au> writes:
> >
> > > From: Joel Stanley <joel@jms.id.au>
> > >
> > > This turns on HARDENED_USERCOPY with HARDENED_USERCOPY_PAGESPAN, and
> > > FORTIFY_SOURCE.
> > >
> > > It also enables SECURITY_LOCKDOWN_LSM with _EARLY and
> > > LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY options enabled.
> > >
> >
> > As I said before, this will disable xmon entirely. If we want to set
> > this, we should compile out xmon. But if we want xmon in read-only mode
> > to be an option, we should pick integrity mode.
> >
> > I don't really mind, because I don't work with skiroot very
> > much. Oliver, Joel, Nayna, you all do stuff around this sort of level -
> > is this a problem for any of you?
>
> Keep it enabled and force INTEGRITY mode. There are some cases where
> xmon is the only method for debugging a crashing skiroot (hello SMC
> BMCs) so I'd rather it remained available. If there's some actual
> security benefit to disabling it entirely then someone should
> articulate that.
Ack.
next prev parent reply other threads:[~2020-01-16 7:16 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 1:48 [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Michael Ellerman
2020-01-16 1:48 ` [PATCH 2/9] powerpc/configs: NET_CADENCE became NET_VENDOR_CADENCE Michael Ellerman
2020-01-16 1:54 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 3/9] powerpc/configs: Drop NET_VENDOR_HP which moved to staging Michael Ellerman
2020-01-16 1:54 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 4/9] powerpc/configs/skiroot: Drop HID_LOGITECH Michael Ellerman
2020-01-16 1:55 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 5/9] powerpc/configs/skiroot: Drop default n CONFIG_CRYPTO_ECHAINIV Michael Ellerman
2020-01-16 1:55 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 6/9] powerpc/configs/skiroot: Update for symbol movement only Michael Ellerman
2020-01-16 1:52 ` Joel Stanley
2020-01-16 1:48 ` [PATCH 7/9] powerpc/configs/skiroot: Enable security features Michael Ellerman
2020-01-16 5:00 ` Daniel Axtens
2020-01-16 7:10 ` Oliver O'Halloran
2020-01-16 7:14 ` Joel Stanley [this message]
2020-01-16 1:48 ` [RFC PATCH 8/9] powerpc/configs/skiroot: Disable xmon default & enable reboot on panic Michael Ellerman
2020-01-16 1:53 ` Joel Stanley
2020-01-16 1:48 ` [RFC PATCH 9/9] powerpc/configs/skiroot: Enable some more hardening options Michael Ellerman
2020-01-16 1:51 ` Joel Stanley
2020-01-21 4:21 ` Michael Ellerman
2020-01-16 1:54 ` [PATCH 1/9] powerpc/configs: Drop CONFIG_QLGE which moved to staging Joel Stanley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACPK8XfBS8qRQ5fromLZXvQ-1EB_=yQvHYb8sWmG-B20ufW+SA@mail.gmail.com' \
--to=joel@jms.id.au \
--cc=dja@axtens.net \
--cc=linuxppc-dev@ozlabs.org \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.