Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755172Ab3IITIX (ORCPT ); Mon, 9 Sep 2013 15:08:23 -0400 Received: from mail-bl2lp0210.outbound.protection.outlook.com ([207.46.163.210]:25205 "EHLO na01-bl2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753706Ab3IITIV (ORCPT ); Mon, 9 Sep 2013 15:08:21 -0400 From: Matthew Garrett To: "Valdis.Kletnieks@vt.edu" CC: David Lang , "linux-kernel@vger.kernel.org" , "keescook@chromium.org" , "gregkh@linuxfoundation.org" , "hpa@zytor.com" , "linux-efi@vger.kernel.org" , "jmorris@namei.org" , "linux-security-module@vger.kernel.org" Subject: Re: [PATCH 00/12] One more attempt at useful kernel lockdown Thread-Topic: [PATCH 00/12] One more attempt at useful kernel lockdown Thread-Index: AQHOrYDL2QYLBLFVskGOdCrAsfX2cpm9uPUAgAAKHLaAAAHMgA== Date: Mon, 9 Sep 2013 19:08:16 +0000 Message-ID: <1378753695.17982.17.camel@x230.lan> References: <1378741786-18430-1-git-send-email-matthew.garrett@nebula.com> <19562.1378747124@turing-police.cc.vt.edu> <27562.1378753264@turing-police.cc.vt.edu> In-Reply-To: <27562.1378753264@turing-police.cc.vt.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2001:470:1f07:1371:5d52:9ee3:3e84:6668] x-forefront-prvs: 09645BAC66 x-forefront-antispam-report: SFV:NSPM;SFS:(377424004)(24454002)(51704005)(189002)(199002)(81816001)(81342001)(69226001)(65816001)(80022001)(46102001)(63696002)(51856001)(4396001)(76786001)(76796001)(81542001)(81686001)(47736001)(49866001)(50986001)(47976001)(36756003)(33646001)(74366001)(47446002)(74706001)(31966008)(74502001)(74662001)(74876001)(80976001)(83072001)(77982001)(59766001)(56776001)(54316002)(79102001)(77096001)(56816003)(53806001)(54356001)(76482001)(83322001)(19580405001)(19580395003)(3826001);DIR:OUT;SFP:;SCL:1;SRVR:BY2PR05MB223;H:BY2PR05MB222.namprd05.prod.outlook.com;CLIP:2001:470:1f07:1371:5d52:9ee3:3e84:6668;RD:InfoNoRecords;MX:1;A:1;LANG:en; Content-Type: text/plain; charset="utf-8" Content-ID: MIME-Version: 1.0 X-OriginatorOrg: nebula.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by mail.home.local id r89J8PXD022464 Content-Length: 872 Lines: 18 On Mon, 2013-09-09 at 15:01 -0400, Valdis.Kletnieks@vt.edu wrote: > On Mon, 09 Sep 2013 11:25:38 -0700, David Lang said: > > > Given that we know that people want signed binaries without blocking kexec, you > > should have '1' just enforce module signing and '2' (or higher) implement a full > > lockdown including kexec. > > > Or, eliminate the -1 permanently insecure option and make this a bitmask, if > > someone wants to enable every possible lockdown, have them set it to "all 1's", > > define the bits only as you need them. > > This strikes me as much more workable than one big sledgehammer. Which combinations are you envisioning as being useful? -- Matthew Garrett ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?