Received: by 10.223.185.116 with SMTP id b49csp2287374wrg; Thu, 22 Feb 2018 11:09:31 -0800 (PST) X-Google-Smtp-Source: AH8x225gHaeJjkvGD0H7Vpe24jOCwz5XqRp+P/HsTRrycEJITAkWoU0laQOBIa9R7TmeErhaFTdM X-Received: by 2002:a17:902:bd94:: with SMTP id q20-v6mr7535811pls.247.1519326571283; Thu, 22 Feb 2018 11:09:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519326571; cv=none; d=google.com; s=arc-20160816; b=TKHb2/4zlUETUJWFq7GGbHjW9FzgmecsL8GTkuRpXRojREjj5L2p4YAsVTyYlwAh3F VZhVvQ+JsbHhWKTt73ptRJrURkwgzX8dwMglJV398GIc/v9sMd6tMoOBj28iz/hBKkxd RHpTt/dYfziovEl2SGp/4XkXxDz1WhK426GnZWy6LCimUQcqB4VMxwjAD4wkbak+SwXF IyC92WuZek/SJOdeMR16PY15UOREnkK+ogQOXw0qlEuX8C9iOZSJYSxenmTnMTu/M5OB l0K10/1mB01k7zpzw7g/M3UhzAMGRIrIQqYZFr0Icv7KbYdXc9YBJksMf44ax372FEeP evQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=gkKujLCG8zUnCcR64jHkRv7kur3O/G6/Dg2uogzcfa8=; b=Wt89qsuiwXXLqZfN1rQfwdC81Otaav4yFsA8xCwgiPrDnMK8jjYFTMBmdho8/y+6pi HL/ZAJ7L3FSHFNpmGm5ttRJqdw3G9RZxsDZ2GIqbX6+9n0UOR7tY6ZPQ/5ZtvcPCeFdv ZcNSnZxE1xCpbm9VhBfzv/xM65ldH8HVlJ7kYZpLSDPKHfdFB6FzvnX7CxkDCMHEmHxz 4sDU2T4Bqzdg1GYHNVkauaMdBhdKPMlOxtKsl7xa/T0ijcqe4rPUXbFGEni4LLpZQxJX 33/QuA/9+X1WsJ6/xgMxzlsqccOKbc2agZ9qyzXDkaK3nCV//V/jDC7JygfTrF5o/9Ag e9iw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m1si387369pgq.399.2018.02.22.11.09.17; Thu, 22 Feb 2018 11:09:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751604AbeBVTIT (ORCPT + 99 others); Thu, 22 Feb 2018 14:08:19 -0500 Received: from mx2.suse.de ([195.135.220.15]:57933 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751411AbeBVTIQ (ORCPT ); Thu, 22 Feb 2018 14:08:16 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 56EA6ABA3; Thu, 22 Feb 2018 19:08:14 +0000 (UTC) Date: Thu, 22 Feb 2018 20:08:14 +0100 From: Jiri Bohac To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down Message-ID: <20180222190814.a5mavnqvii5i6ptf@dwarf.suse.cz> References: <151024869793.28329.4817577607302613028.stgit@warthog.procyon.org.uk> <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk> <8846.1519309243@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8846.1519309243@warthog.procyon.org.uk> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 22, 2018 at 02:20:43PM +0000, David Howells wrote: > commit 87a39b258eca2e15884ee90c3fcd5758d6057b17 > Author: David Howells > Date: Thu Feb 22 13:42:04 2018 +0000 > > kexec_file: split KEXEC_VERIFY_SIG into KEXEC_SIG and KEXEC_SIG_FORCE > > This is a preparatory patch for kexec_file_load() lockdown. A locked down > kernel needs to prevent unsigned kernel images to be loaded with s/to be loaded/from being loaded/ (my own mistake :-)) Otherwise looks good. Thanks for improving my idea. Reviewed-by: Jiri Bohac -- Jiri Bohac SUSE Labs, Prague, Czechia