[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <201209240840.29342.trenn@suse.de>
Date: Mon, 24 Sep 2012 08:40:28 +0200
From: Thomas Renninger <trenn@...e.de>
To: Len Brown <lenb@...nel.org>
Cc: hpa@...or.com, initramfs@...r.kernel.org, robert.moore@...el.com,
linux-kernel@...r.kernel.org, linux-acpi@...r.kernel.org,
yinghai@...nel.org, eric.piel@...mplin-utc.net, vojcek@...n.pl
Subject: Re: [PATCH 2/2] ACPI: Override arbitrary ACPI tables via initrd for debugging
On Sunday 23 September 2012 06:25:40 Len Brown wrote:
> > +config ACPI_INITRD_TABLE_OVERRIDE
> > + bool
> > + default y
>
> Do distros in addition to SuSE concur they want to ship this way?
Whether distros ship this in their enterprise, community or just in
a -debug kernel flavor is up to them.
I cannot see why this cannot be enabled by default on all.
That is what the TAINT flag is for...
> The last time we tried to make debugging easier we added
> ACPI_CUSTOM_METHOD, which allowed root to over-ride an AML method
> on a running system. Distro security-minded people were not amused.
Yep and therefore you have to remove this one from the tools for
ACPI debugging you listed.
The issue is/was, that root can inject code at runtime which is then
executed in kernel environment.
Afaik there are "security" provisions or say setups, which do
hide modprobe/insmod and do not allow root to load any kernel drivers
or similar.
If one can write the kernel or initrd which gets booted, I guess there
are not much security restrictions anymore you could put on this user...
But thanks for the pointer, I'll go and double check with some
security guys.
> thanks,
> -Len Brown, Intel Open Source Technology Center
>
> ps I noticed your reference to acpidump in the README.
> That reminded me to push it to the kernel source tree.
> Its new home will be tools/power/acpi
This is the one which I tried to/did adjust to acpica headers?
This sounds like a very good idea. I'll adjust the docs.
pss: Can this tool live there as well:
ftp://ftp.suse.com/pub/people/trenn/sources/ec/ec_access.c
It's the userspace tool for examining EC values (and changes) via
ec_sys debug driver and a corresponding /sys/kernel/debug/.. file.
It's more ore less doing the same what the old thinkpad_acpi driver
could, but offers this to all machines with an EC device.
Thomas
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists