[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 9 Sep 2013 18:42:38 +0000
From: Matthew Garrett <matthew.garrett@...ula.com>
To: David Lang <david@...g.hm>
CC: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"keescook@...omium.org" <keescook@...omium.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"hpa@...or.com" <hpa@...or.com>,
"linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>,
"jmorris@...ei.org" <jmorris@...ei.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>
Subject: Re: [PATCH 00/12] One more attempt at useful kernel lockdown
On Mon, 2013-09-09 at 11:40 -0700, David Lang wrote:
> On Mon, 9 Sep 2013, Matthew Garrett wrote:
>
> > On Mon, 2013-09-09 at 11:25 -0700, David Lang wrote:
> >
> >> Given that we know that people want signed binaries without blocking kexec, you
> >> should have '1' just enforce module signing and '2' (or higher) implement a full
> >> lockdown including kexec.
> >
> > There's already a kernel option for that.
>
> So, if there is an existing kernel option for this, why do we need a new one?
There's an existing kernel option for "I want to enforce module
signatures but I don't care about anything else". There isn't for "I
want to prevent userspace from modifying my running kernel".
--
Matthew Garrett <matthew.garrett@...ula.com>
Powered by blists - more mailing lists