Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754094AbcKPW2q (ORCPT ); Wed, 16 Nov 2016 17:28:46 -0500 Received: from mail-it0-f66.google.com ([209.85.214.66]:36688 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S938882AbcKPW2c (ORCPT ); Wed, 16 Nov 2016 17:28:32 -0500 MIME-Version: 1.0 In-Reply-To: <147933283664.19316.12454053022687659937.stgit@warthog.procyon.org.uk> References: <147933283664.19316.12454053022687659937.stgit@warthog.procyon.org.uk> From: Justin Forbes Date: Wed, 16 Nov 2016 16:28:31 -0600 Message-ID: Subject: Re: [PATCH 00/16] Kernel lockdown To: David Howells Cc: keyrings@vger.kernel.org, matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 910 Lines: 19 On Wed, Nov 16, 2016 at 3:47 PM, David Howells wrote: > > These patches provide a facility by which a variety of avenues by which > userspace can feasibly modify the running kernel image can be locked down. > These include: > Bit surprised to see this. Not that I am opposed to the patches themselves. These were pulled into my tree as the first step towards consolidating the implementation used for secure boot, and I know there is interest in using large parts outside of a secure boot context as well, but there were a few changes to be made after our discussions in Santa Fe. Those are going into http://git.kernel.org/cgit/linux/kernel/git/jforbes/linux.git/log/?h=lockdown I am completely happy to submit those changes as separate patches if people want to take these. They do actually work, and are being shipped and supported by multiple distributions at this point. Justin