From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753080AbdKBRAO (ORCPT <rfc822;w@1wt.eu>);
        Thu, 2 Nov 2017 13:00:14 -0400
Received: from mx1.redhat.com ([209.132.183.28]:38192 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752042AbdKBRAM (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Nov 2017 13:00:12 -0400
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com E5F1A61D0A
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=dhowells@redhat.com
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <1509381838.3583.134.camel@linux.vnet.ibm.com>
References: <1509381838.3583.134.camel@linux.vnet.ibm.com> <1509032805.5886.52.camel@linux.vnet.ibm.com> <20171026074243.GM8550@linux-l9pv.suse> <150842463163.7923.11081723749106843698.stgit@warthog.procyon.org.uk> <150842468754.7923.10037578333644594134.stgit@warthog.procyon.org.uk> <1508774083.3639.124.camel@linux.vnet.ibm.com> <26694.1509030144@warthog.procyon.org.uk> <32764.1509378584@warthog.procyon.org.uk>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: dhowells@redhat.com, joeyli <jlee@suse.com>,
        linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk,
        linux-efi@vger.kernel.org, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org, jforbes@redhat.com,
        Matthew Garrett <mjg59@google.com>
Subject: Re: [PATCH 07/27] kexec_file: Disable at runtime if securelevel has been set
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <11095.1509642008.1@warthog.procyon.org.uk>
Date: Thu, 02 Nov 2017 17:00:08 +0000
Message-ID: <11096.1509642008@warthog.procyon.org.uk>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 02 Nov 2017 17:00:12 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> At some point, we'll want to also require the initramfs be signed as well.

That could be tricky.  In Fedora, at least, that's assembled on the fly to
include just the drivers you need to be able to mount your root fs and find
the rest of your modules.  (Unless you mean just for the installer)

David