| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Dec 2019 07:54:27 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>,
Michael Ellerman <mpe@...erman.id.au>
Cc: ajd@...ux.ibm.com, alastair@...ilva.org,
"Aneesh Kumar K.V" <aneesh.kumar@...ux.ibm.com>,
asteinhauser@...gle.com, Bjorn Helgaas <bhelgaas@...gle.com>,
Qian Cai <cai@....pw>, chris.packham@...iedtelesis.co.nz,
chris.smart@...anservices.gov.au,
Christophe Leroy <christophe.leroy@....fr>, clg@...d.org,
cmr@...ormatik.wtf, David Hildenbrand <david@...hat.com>,
debmc@...ux.vnet.ibm.com,
Geert Uytterhoeven <geert+renesas@...der.be>,
gwalbon@...ux.ibm.com, harish@...ux.ibm.com,
hbathini@...ux.ibm.com, Christoph Hellwig <hch@....de>,
krzk@...nel.org, leonardo@...ux.ibm.com,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
linuxppc-dev@...ts.ozlabs.org, linuxram@...ibm.com,
madalin.bucur@....com, Mathieu Malaterre <malat@...ian.org>,
msuchanek@...e.de, Nathan Chancellor <natechancellor@...il.com>,
nathanl@...ux.ibm.com, Nayna Jain <nayna@...ux.ibm.com>,
Nick Piggin <npiggin@...il.com>,
"Oliver O'Halloran" <oohall@...il.com>, oss@...error.net,
ravi.bangoria@...ux.ibm.com, Russell Currey <ruscur@...sell.cc>,
sbobroff@...ux.ibm.com, thuth@...hat.com, tyreld@...ux.ibm.com,
vaibhav@...ux.ibm.com, valentin@...gchamp.me, yanaijie@...wei.com,
YueHaibing <yuehaibing@...wei.com>
Subject: Re: [GIT PULL] Please pull powerpc/linux.git powerpc-5.5-1 tag
On Sat, 2019-11-30 at 14:42 -0800, Linus Torvalds wrote:
> [ Only tangentially related to the power parts ]
>
> On Sat, Nov 30, 2019 at 2:41 AM Michael Ellerman <mpe@...erman.id.au> wrote:
> >
> > There's some changes in security/integrity as part of the secure boot work. They
> > were all either written by or acked/reviewed by Mimi.
>
> -#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390)
> +#if (defined(CONFIG_X86) && defined(CONFIG_EFI)) || defined(CONFIG_S390) \
> + || defined(CONFIG_PPC_SECURE_BOOT)
>
> This clearly should be its own CONFIG variable, and be generated by
> having the different architectures just select it.
>
> IOW, IMA should probably have a
>
> config IMA_SECURE_BOOT
>
> and then s390 would just do the select unconditionally, while x86 and
> ppc would do
>
> select IMA_SECURE_BOOT if EFI
>
> and
>
> select IMA_SECURE_BOOT if PPC_SECURE_BOOT
>
> respectively.
>
> And then we wouldn't have random architectures adding random "me me me
> tooo!!!" type code.
Agreed, but the naming is a bit off. The flag somehow needs to take
into account "trusted boot" as well. On s390, only secure boot is
enabled, at least for the time being. On x86, both secure and trusted
boot are enabled. On powerpc, the architecture properly enables
secure and/or trusted boot based on OPAL flags.
It's a bit long, but could the flag be named
IMA_SECURE_AND_OR_TRUSTED_BOOT?
thanks,
Mimi
Powered by blists - more mailing lists