From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Jiri Kosina <jkosina@suse.cz>, Josh Boyer <jwboyer@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org
Subject: Re: [RFC] Second attempt at kernel secure boot support
Date: Wed, 31 Oct 2012 17:10:48 +0000 [thread overview]
Message-ID: <20121031171048.GA17163@srcf.ucam.org> (raw)
In-Reply-To: <20121031170334.59833fb1@pyramind.ukuu.org.uk>
On Wed, Oct 31, 2012 at 05:03:34PM +0000, Alan Cox wrote:
> On Wed, 31 Oct 2012 16:55:04 +0100 (CET)
> Jiri Kosina <jkosina@suse.cz> wrote:
> > Prepare (as a root) a hand-crafted image, reboot, let the kernel resume
> > from that artificial image.
>
> It's not signed. It won't reboot from that image.
The kernel is signed. The kernel doesn't check the signature on the
suspend image.
--
Matthew Garrett | mjg59@srcf.ucam.org
next prev parent reply other threads:[~2012-10-31 17:10 UTC|newest]
Thread overview: 224+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-20 14:40 [RFC] Second attempt at kernel secure boot support Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 01/10] Secure boot: Add new capability Matthew Garrett
2012-09-28 3:10 ` Serge Hallyn
2012-10-20 0:15 ` joeyli
2012-10-20 9:02 ` Matt Fleming
2012-09-20 14:40 ` [PATCH V2 02/10] PCI: Lock down BAR access in secure boot environments Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 03/10] x86: Lock down IO port " Matthew Garrett
2012-09-20 14:40 ` [PATCH V2 04/10] ACPI: Limit access to custom_method Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 05/10] asus-wmi: Restrict debugfs interface Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 06/10] Restrict /dev/mem and /dev/kmem in secure boot setups Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 07/10] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode Matthew Garrett
2012-09-20 16:32 ` Greg KH
2012-09-20 17:40 ` Josh Boyer
2012-09-25 13:08 ` [PATCH V3 " Josh Boyer
2012-10-29 9:00 ` joeyli
2012-10-30 17:48 ` Josh Boyer
2012-10-30 19:27 ` joeyli
2012-09-21 8:20 ` [PATCH V2 " joeyli
2012-09-28 3:20 ` Serge Hallyn
2012-09-20 14:41 ` [PATCH V2 08/10] efi: Enable secure boot lockdown automatically when enabled in firmware Matthew Garrett
2012-09-28 3:21 ` Serge Hallyn
2012-10-22 13:22 ` Matt Fleming
2012-09-20 14:41 ` [PATCH V2 09/10] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment Matthew Garrett
2012-09-20 14:41 ` [PATCH V2 10/10] SELinux: define mapping for new Secure Boot capability Matthew Garrett
2012-09-21 22:55 ` [RFC] Second attempt at kernel secure boot support Eric W. Biederman
2012-09-22 15:21 ` Matthew Garrett
2012-10-29 7:49 ` Jiri Kosina
2012-10-29 17:41 ` Matthew Garrett
2012-10-31 14:50 ` Jiri Kosina
2012-10-31 14:54 ` Josh Boyer
2012-10-31 14:59 ` Shea Levy
2012-10-31 15:55 ` Alan Cox
2012-10-31 15:55 ` Jiri Kosina
2012-10-31 17:03 ` Alan Cox
2012-10-31 17:01 ` Shea Levy
2012-10-31 17:17 ` Alan Cox
2012-10-31 17:10 ` Matthew Garrett [this message]
2012-10-31 17:21 ` Alan Cox
2012-10-31 17:17 ` Matthew Garrett
2012-10-31 17:39 ` Alan Cox
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:49 ` Alan Cox
2012-10-31 17:45 ` Matthew Garrett
2012-10-31 20:14 ` Oliver Neukum
2012-10-31 21:58 ` Chris Friesen
2012-10-31 22:00 ` Jiri Kosina
2012-10-31 22:19 ` Oliver Neukum
2012-11-01 9:08 ` James Bottomley
2012-11-01 9:20 ` Jiri Kosina
2012-11-01 9:38 ` James Bottomley
2012-11-01 9:45 ` Jiri Kosina
2012-11-01 9:59 ` James Bottomley
2012-11-01 10:06 ` Jiri Kosina
2012-11-01 14:29 ` Eric Paris
2012-11-01 14:42 ` James Bottomley
2012-11-01 14:49 ` Matthew Garrett
2012-11-01 15:06 ` James Bottomley
2012-11-01 15:17 ` Eric Paris
2012-11-01 16:26 ` Matthew Garrett
2012-11-01 15:06 ` Alan Cox
2012-11-01 16:29 ` Matthew Garrett
2012-11-01 16:40 ` Alan Cox
2012-11-01 14:59 ` Eric Paris
2012-11-01 15:11 ` Alan Cox
2012-11-01 15:18 ` James Bottomley
2012-11-01 17:50 ` Eric Paris
2012-11-01 21:03 ` James Bottomley
2012-11-01 21:06 ` Matthew Garrett
2012-11-01 21:14 ` James Bottomley
2012-11-01 21:18 ` Matthew Garrett
2012-11-01 21:35 ` Alan Cox
2012-11-01 21:31 ` Alan Cox
2012-11-01 21:28 ` Matthew Garrett
2012-11-01 21:37 ` Alan Cox
2012-11-01 21:34 ` Matthew Garrett
2012-11-01 21:58 ` Alan Cox
2012-11-01 21:57 ` Matthew Garrett
2012-11-02 8:49 ` Eric W. Biederman
2012-11-02 14:00 ` Matthew Garrett
2012-11-02 22:03 ` Eric W. Biederman
2012-11-02 22:19 ` Chris Friesen
2012-11-02 23:46 ` Alan Cox
2012-11-03 0:23 ` Matthew Garrett
2012-11-03 0:55 ` Alan Cox
2012-11-03 0:20 ` Matthew Garrett
2012-11-03 0:47 ` Eric W. Biederman
2012-11-03 1:03 ` Alan Cox
2012-11-03 1:43 ` Matthew Garrett
2012-11-03 16:31 ` Alan Cox
2012-11-03 16:37 ` Matthew Garrett
2012-11-03 16:37 ` Eric Paris
2012-11-03 16:42 ` Matthew Garrett
2012-11-02 17:19 ` Vivek Goyal
2012-11-01 14:46 ` Alan Cox
2012-11-01 15:04 ` Eric Paris
2012-11-01 20:27 ` Pavel Machek
2012-11-01 21:02 ` Chris Friesen
2012-11-02 15:48 ` Vivek Goyal
2012-11-02 16:54 ` Chris Friesen
2012-11-02 17:03 ` Vivek Goyal
2012-11-03 23:09 ` Jiri Kosina
2012-11-05 6:38 ` Eric W. Biederman
2012-11-05 14:40 ` Jiri Kosina
2012-11-05 15:31 ` Jiri Kosina
2012-11-05 15:37 ` Chris Friesen
2012-11-05 18:22 ` Vivek Goyal
2012-11-02 16:33 ` Pavel Machek
2012-11-02 16:52 ` James Bottomley
2012-11-02 16:54 ` Matthew Garrett
2012-11-02 17:48 ` James Bottomley
2012-11-02 17:54 ` Matthew Garrett
2012-11-02 17:57 ` James Bottomley
2012-11-02 18:04 ` Matthew Garrett
2012-11-02 19:18 ` Eric Paris
2012-11-02 23:38 ` James Bottomley
2012-11-03 0:22 ` Matthew Garrett
2012-11-03 12:03 ` James Bottomley
2012-11-03 13:46 ` Matthew Garrett
2012-11-03 22:56 ` James Bottomley
2012-11-04 4:28 ` Matthew Garrett
2012-11-04 9:14 ` James Bottomley
2012-11-04 13:52 ` Matthew Garrett
2012-11-05 6:14 ` Eric W. Biederman
2012-11-05 7:12 ` H. Peter Anvin
2012-11-05 7:24 ` Eric W. Biederman
2012-11-05 7:40 ` H. Peter Anvin
2012-11-05 8:50 ` Eric W. Biederman
2012-11-05 8:53 ` H. Peter Anvin
2012-11-05 12:38 ` Matthew Garrett
2012-11-05 13:44 ` Alan Cox
2012-11-05 13:46 ` Matthew Garrett
2012-11-05 19:16 ` Eric W. Biederman
2012-11-05 20:25 ` Matthew Garrett
2012-11-06 2:46 ` Eric W. Biederman
2012-11-06 3:12 ` Matthew Garrett
2012-11-06 3:36 ` Eric W. Biederman
2012-11-06 3:53 ` Matthew Garrett
2012-11-06 5:19 ` Eric W. Biederman
2012-11-06 5:34 ` Matthew Garrett
2012-11-06 7:56 ` Florian Weimer
2012-11-06 15:14 ` Chris Friesen
2012-11-06 15:19 ` Jiri Kosina
2012-11-06 21:51 ` Florian Weimer
2012-11-06 21:55 ` Matthew Garrett
2012-11-06 22:06 ` Florian Weimer
2012-11-06 22:31 ` Matthew Garrett
2012-11-06 22:49 ` Alan Cox
2012-11-06 22:47 ` Matthew Garrett
[not found] ` <CAMFK0gt7oAr4ArD8FmD8QE+i4g4rSTmQjbbLcjs02xwQeXGx-A@mail.gmail.com>
2012-11-07 14:55 ` Matthew Garrett
2012-11-08 10:18 ` James Courtier-Dutton
[not found] ` <CAAMvbhFF=kb8TJ4oE+40Zrx7HD1OkD0NOYj7QEZegZKGtqDm_A@mail.gmail.com>
2012-11-08 11:19 ` Alan Cox
2012-11-06 9:12 ` Alan Cox
2012-11-06 13:17 ` Matthew Garrett
2012-11-06 8:13 ` Valdis.Kletnieks
2012-11-05 8:20 ` James Bottomley
2012-11-05 12:36 ` Matthew Garrett
2012-11-04 11:53 ` Pavel Machek
2012-11-05 21:25 ` Florian Weimer
2012-11-02 14:55 ` Vivek Goyal
2012-11-01 10:12 ` Oliver Neukum
2012-10-31 17:21 ` Jiri Kosina
2012-10-31 15:56 ` Matthew Garrett
2012-10-31 17:08 ` Alan Cox
2012-10-31 17:08 ` Shea Levy
2012-10-31 16:04 ` Jiri Kosina
2012-10-31 16:10 ` Josh Boyer
2012-10-31 15:02 ` Matthew Garrett
2012-10-31 15:05 ` Shea Levy
2012-10-31 15:09 ` Matthew Garrett
2012-11-02 15:30 ` Vivek Goyal
2012-11-02 15:42 ` Matthew Garrett
2012-11-02 15:52 ` Vivek Goyal
2012-11-02 16:22 ` Jiri Kosina
2012-11-02 18:30 ` Vivek Goyal
2012-11-02 16:35 ` Shuah Khan
2012-11-06 12:51 ` Jiri Kosina
2012-11-06 13:16 ` Matthew Garrett
2012-10-31 17:28 ` Takashi Iwai
2012-10-31 17:37 ` Matthew Garrett
2012-10-31 17:44 ` Alan Cox
2012-10-31 17:44 ` Matthew Garrett
2012-10-31 18:53 ` Takashi Iwai
2012-11-01 4:21 ` joeyli
2012-11-01 13:18 ` Alan Cox
2012-11-05 17:13 ` Takashi Iwai
2012-11-05 17:18 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 1/4] scripts/sign-file: Allow specifying hash algorithm via -a option Takashi Iwai
2012-11-05 17:19 ` [PATCH RFC 2/4] scripts/sign-file: Support firmware signing Takashi Iwai
2012-11-05 17:20 ` [PATCH RFC 3/4] firmware: Add a signature check Takashi Iwai
2012-11-06 6:03 ` Mimi Zohar
2012-11-05 17:20 ` [PATCH RFC 4/4] firmware: Install signature files automatically Takashi Iwai
2012-11-05 18:12 ` [PATCH RFC 0/4] Add firmware signature file check Takashi Iwai
2012-11-05 20:43 ` Josh Boyer
2012-11-06 6:46 ` Takashi Iwai
2012-11-06 9:20 ` Alan Cox
2012-11-06 10:05 ` Takashi Iwai
2012-11-06 2:30 ` Ming Lei
2012-11-06 5:46 ` lee joey
2012-11-06 7:03 ` Takashi Iwai
2012-11-06 7:16 ` Ming Lei
2012-11-06 7:32 ` Takashi Iwai
2012-11-06 8:04 ` Ming Lei
2012-11-06 8:18 ` Takashi Iwai
2012-11-06 10:04 ` Ming Lei
2012-11-06 10:17 ` Takashi Iwai
2012-11-06 10:40 ` Ming Lei
2012-11-06 10:53 ` Takashi Iwai
2012-11-06 11:03 ` Ming Lei
2012-11-06 11:15 ` Alan Cox
[not found] ` <CAGB3EUTrSMDhja9Gu3h7nuZX+H2_owp8MnUNwbZuCW=_GuawqQ@mail.gmail.com>
2012-11-06 7:06 ` Takashi Iwai
2012-11-06 7:30 ` Ming Lei
2012-11-08 17:35 ` [PATCH RFC v2 " Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 1/4] firmware: Add the firmware signing support to scripts/sign-file Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 2/4] firmware: Add -a option " Takashi Iwai
2012-11-23 6:51 ` joeyli
2012-11-08 17:35 ` [PATCH RFC v2 3/4] firmware: Add support for signature checks Takashi Iwai
2012-11-23 6:56 ` joeyli
2012-11-23 7:34 ` Takashi Iwai
2012-11-08 17:35 ` [PATCH RFC v2 4/4] firmware: Install firmware signature files automatically Takashi Iwai
2012-11-23 6:52 ` joeyli
2012-11-06 0:01 ` [PATCH RFC 0/4] Add firmware signature file check David Howells
2012-11-06 7:01 ` Takashi Iwai
2012-11-06 0:05 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121031171048.GA17163@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jkosina@suse.cz \
--cc=jwboyer@gmail.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).