| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z92gTQj6QkedbH0K@kernel.org> Date: Fri, 21 Mar 2025 19:22:21 +0200 From: Jarkko Sakkinen <jarkko@...nel.org> To: Paul Moore <paul@...l-moore.com> Cc: Eric Snowberg <eric.snowberg@...cle.com>, Mimi Zohar <zohar@...ux.ibm.com>, David Howells <dhowells@...hat.com>, "open list:SECURITY SUBSYSTEM" <linux-security-module@...r.kernel.org>, David Woodhouse <dwmw2@...radead.org>, "herbert@...dor.apana.org.au" <herbert@...dor.apana.org.au>, "davem@...emloft.net" <davem@...emloft.net>, Ard Biesheuvel <ardb@...nel.org>, James Morris <jmorris@...ei.org>, "Serge E. Hallyn" <serge@...lyn.com>, Roberto Sassu <roberto.sassu@...wei.com>, Dmitry Kasatkin <dmitry.kasatkin@...il.com>, Mickaël Salaün <mic@...ikod.net>, "casey@...aufler-ca.com" <casey@...aufler-ca.com>, Stefan Berger <stefanb@...ux.ibm.com>, "ebiggers@...nel.org" <ebiggers@...nel.org>, Randy Dunlap <rdunlap@...radead.org>, open list <linux-kernel@...r.kernel.org>, "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>, "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org> Subject: Re: [RFC PATCH v3 00/13] Clavis LSM On Thu, Mar 20, 2025 at 05:36:41PM -0400, Paul Moore wrote: > On Thu, Mar 20, 2025 at 12:29 PM Eric Snowberg <eric.snowberg@...cle.com> wrote: > > > On Mar 6, 2025, at 7:46 PM, Paul Moore <paul@...l-moore.com> wrote: > > > On March 6, 2025 5:29:36 PM Eric Snowberg <eric.snowberg@...cle.com> wrote: > > ... > > > >> Does this mean Microsoft will begin signing shims in the future without > > >> the lockdown requirement? > > > > > > That's not a question I can answer, you'll need to discuss that with the UEFI SB people. > > > > Based on your previous lockdown comments, I thought you might have > > some new information. Having lockdown enforcement has always been > > a requirement to get a shim signed by Microsoft. > > I want to address two things, the first, and most important, is that > while I am currently employed by Microsoft, I do not speak for > Microsoft and the decisions and actions I take as an upstream Linux > kernel maintainer are not vetted by Microsoft in any way. I think you > will find that many upstream kernel maintainers operate in a similar > way for a variety of very good reasons. This is understood. If one takes a kernel maintainer role, one should unconditionally disobey any vetting by the employer (even at the cost of the job, or alternatively at the cost of giving up the maintainership). And with you in particular I don't think anyone has any trust issues, no matter which group of villains you might be employed by ;-) > > The second issue is that my main focus is on ensuring we have a > secure, safe, and well maintained LSM subsystem within the upstream > Linux kernel. While I do care about downstream efforts, e.g. UEFI > Secure Boot, those efforts are largely outside the scope of the > upstream Linux kernel and not my first concern. If the developer > groups who are focused on things like UEFI SB want to rely on > functionality within the upstream Linux kernel they should be prepared > to stand up and contribute/maintain those features or else they may go > away at some point in the future. In very blunt terms, contribute > upstream or Lockdown dies. Could Lockdown functionality be re-implemented with that eBPF LSM? I have not really looked into it so far... BR, Jarkko
Powered by blists - more mailing lists