Received: by 10.223.185.116 with SMTP id b49csp2292658wrg; Thu, 22 Feb 2018 11:15:29 -0800 (PST) X-Google-Smtp-Source: AH8x227FCCjrdqCbT9hRQRw3Eg3HHRONcxOZwU+i89B42iivVJMqu003j53giz56Ce3a7eYqVjGp X-Received: by 10.98.75.206 with SMTP id d75mr7923144pfj.77.1519326929349; Thu, 22 Feb 2018 11:15:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519326929; cv=none; d=google.com; s=arc-20160816; b=C8DkHBQm5S01CyKsworOuv0tDBmrp1p+FF/k5NWyCbFaHRQNaYBenMNPF7GHDt2tTa 3Q4uM4I1QPKEKOPby42w/teTQxzNCI92RFPrjraxk96wIKN0lcX1VhZm/ZFxHNCP6FSH xexIKktPVVfLlHwtDJbElP8uso2zC8O8zCJ1wOFTQ+YTNmMcpuNK7RrBCwiGHZ9p5Q0z OTvWZVkFD7VwEyjTpwPKpXiJwAYZB+93DvSJvr++jH/sBApy46P6N7BUeadLvYEFXr5f fiUsNWHGXVYzR1rRK5aAEfg4BczwSBWDno3EwtZDXGCM7Z0mzR3ba1FkMy77LsC9MrT5 Kxsg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=nKpjeVhbPWaQs6OevKXrJ9jhfazJUkuqIigOgBaWYBU=; b=l+xD5fbwgGj2xvjI5uMoMtjIc4ljk5xDPTzgh8sgjxQL4OYGKWOIyRzRRqTD/SwUJ6 8F9bmQwk4toyGlOYCMxilMBxmnwQnLlH/oRLv6tgMQobIP3wKYImcZdtxegjcL9atcrg SFHGyJe5NF6vsCzgiL/1sFRB9EZ0vd5lP+lhYAR6EzD4+DVLtX7rJ2W3hbAUIvFzgeb7 0k9VTjxUyvjioua14Rp/uzMasAUOrulPaiW3mW30ZJhfBcAwWLglyidqLi8EpLTUYHUn E8j0aOyrkl5lRz26jH/ZPnsBK+4Y5FOerYkwgLPJr1mXV8UUyLPmsdkd+Ju0hSnnladw 4tLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7si394201pgs.314.2018.02.22.11.15.14; Thu, 22 Feb 2018 11:15:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751362AbeBVTOe (ORCPT + 99 others); Thu, 22 Feb 2018 14:14:34 -0500 Received: from mx2.suse.de ([195.135.220.15]:58336 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751276AbeBVTOa (ORCPT ); Thu, 22 Feb 2018 14:14:30 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6925EAD8C; Thu, 22 Feb 2018 19:14:28 +0000 (UTC) Date: Thu, 22 Feb 2018 20:14:28 +0100 From: Jiri Bohac To: David Howells Cc: linux-security-module@vger.kernel.org, gnomes@lxorguk.ukuu.org.uk, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, jforbes@redhat.com Subject: Re: [PATCH 08/30] kexec_file: Restrict at runtime if the kernel is locked down Message-ID: <20180222191428.mam3w3n3flc63jn2@dwarf.suse.cz> References: <8846.1519309243@warthog.procyon.org.uk> <151024869793.28329.4817577607302613028.stgit@warthog.procyon.org.uk> <151024863544.28329.2436580122759221600.stgit@warthog.procyon.org.uk> <8887.1519309313@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8887.1519309313@warthog.procyon.org.uk> User-Agent: NeoMutt/20170912 (1.9.0) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 22, 2018 at 02:21:53PM +0000, David Howells wrote: > commit ed0424c531d7dd25adebdec0ee6a78a5784f207a > Author: David Howells > Date: Thu Feb 22 14:01:49 2018 +0000 > > kexec_file: Restrict at runtime if the kernel is locked down > > When KEXEC_VERIFY_SIG is not enabled, kernel should not load images through s/KEXEC_VERIFY_SIG/KEXEC_SIG/ Again, my mistake :/ Other than that, looks OK. Much cleaner than my version. Thanks! Reviewed-by: Jiri Bohac -- Jiri Bohac SUSE Labs, Prague, Czechia