Date: Wed, 12 Apr 2017 22:57:36 +0800
From: joeyli <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
        gnomes@lxorguk.ukuu.org.uk, netdev@vger.kernel.org,
        linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
        gregkh@linuxfoundation.org, matthew.garrett@nebula.com
Subject: Re: [PATCH 20/24] bpf: Restrict kernel image access functions when
 the kernel is locked down
Message-ID: <20170412145736.GF18270@linux-l9pv.suse>
References: <149142326734.5101.4596394505987813763.stgit@warthog.procyon.org.uk>
 <149142344547.5101.4518618716303032193.stgit@warthog.procyon.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <149142344547.5101.4518618716303032193.stgit@warthog.procyon.org.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 982
Lines: 28

Hi David,

First, thanks for your help to send out this series.

On Wed, Apr 05, 2017 at 09:17:25PM +0100, David Howells wrote:
> From: Chun-Yi Lee <jlee@suse.com>
> 
> There are some bpf functions can be used to read kernel memory:
> bpf_probe_read, bpf_probe_write_user and bpf_trace_printk.  These allow
> private keys in kernel memory (e.g. the hibernation image signing key) to
> be read by an eBPF program.  Prohibit those functions when the kernel is
> locked down.
> 
> Signed-off-by: Chun-Yi Lee <jlee@suse.com>
> Signed-off-by: David Howells <dhowells@redhat.com>
> cc: netdev@vger.kernel.org

This patch is used with hibernation signature verification. I suggest
that we can remove this patch from your series because we just lock
down the hibernation function until hibernation verification get
accepted.

On the other hand, we are trying to enhance the bpf verifier to
prevent bpf print reads specific memory addresses that have sensitive
data.

Thanks a lot!
Joey Lee