Received: by 10.192.165.156 with SMTP id m28csp975544imm; Wed, 11 Apr 2018 10:10:03 -0700 (PDT) X-Google-Smtp-Source: AIpwx48nluMMMpYCzfPc4DPHlRcCLGvgYguR/PvecHEMX2nkyuhk03wARSVO0i2vDa2tgDStlYsu X-Received: by 10.101.100.68 with SMTP id s4mr4016245pgv.407.1523466603660; Wed, 11 Apr 2018 10:10:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523466603; cv=none; d=google.com; s=arc-20160816; b=wut/KG+kXcya69T7Ezg6JNrnYuzdpb/1WW3Y5QLzdKIGQppryhvJc+e8a1WUtCpson X31XP0Q3gJDxrI1CCdhrqY8bcM/L/3waZZjDrCPInDcLiMTKRLRvXWXXMpdHGHA2F41s dguhzUDlcmxdEHfRL/Z0T5bENq/GF/v/vd2+rYTtg03LleLMXdXNfeGBobfCqE0HtlnQ /I0iXJ30E7poHC7tSp6lUG4Dqcvthj10H3liPZGjwWB1geS+63r2vRXY1Zs8jhttc6tq BET6nos9AlJNK/j/+eLH/14+K5FDFtcLFKCnBRqp0N9XtllEQSVpyU1fZE5GWbRAX6eS 4aMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=z7QVRAqpW/lT5mAbv91b+OZkjRd3ZyWtCuuJDeC0gGY=; b=Hh3nQsZenHDT6QQJSE7JWmIur96mM3tbQslkTi1FhhOUL5IMmbcu2BpmmTfoCDh8Pn LCOQ3K9qgWMESH0Gzh6RukTRiBWHpgCnuyDTnWv+rRERgeqAcFUuF2HL0azElMW2uUui h9DBdPS4AnIuHxxEKvE0iHO5WtaFNpc8VZrYqQGWSLMGwbt1dwfp4P6Ons+oLs+67ZkF xz+RX20vaR6grQ7Hw4/A0R78yRPNMcH2fz9krdD3SbXxvUU+d8hBs6yx5mI4fJU1G+zZ HdeO6oWg9PKV93W7ELiSbLfGdiKEyfhgyqwjpRoh4oAQCQQjCmKsDt7T1ilA+u7vxFU5 7Deg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=FbcBHRSV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v16-v6si392920plo.743.2018.04.11.10.09.26; Wed, 11 Apr 2018 10:10:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=FbcBHRSV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753725AbeDKRGU (ORCPT + 99 others); Wed, 11 Apr 2018 13:06:20 -0400 Received: from mail-ot0-f195.google.com ([74.125.82.195]:38076 "EHLO mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753268AbeDKRGR (ORCPT ); Wed, 11 Apr 2018 13:06:17 -0400 Received: by mail-ot0-f195.google.com with SMTP id o9-v6so2810629otj.5 for ; Wed, 11 Apr 2018 10:06:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=z7QVRAqpW/lT5mAbv91b+OZkjRd3ZyWtCuuJDeC0gGY=; b=FbcBHRSVcKoKs294SKLeF1K1E+RRPUxSCGoXE/9YQlQY6Eojxn7s2pzQ7IBmvjSvpm +pFL8n/PgHmFa1detkQQp9zb5g9uSz0oXapT6p4ppxOwIWfE31maG/sRd1yDih3+Sffw XqlUR/fAD2awYUdSPTNjxqQfjOw1GAu2SaB0+VeKvHhbNCC4Z2nIt37XOE6A43/ji0u4 pNE0Jzb2ILpvS1daLmE6UNabOZUo/hhOYF4UW7VW9BWlwaYDCfrkfmWpbckvAAcwvCqc iV/E/UDVaiCP5njRxJwxSekwxF2fNT5zclYJTKkFXz7t4IfiATTXfKOCZMiXFBGYe8q/ pzkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=z7QVRAqpW/lT5mAbv91b+OZkjRd3ZyWtCuuJDeC0gGY=; b=nF0jXizOX4/2qIKDalrQjasMI/Zr6xsmqnISbHlsPxcPd69TOH+xHKhzH0ZLlhZVAx fueAqBqg5kpxtBdBpNye/SywMyw8Vc9uvZTw2SQVWObEVhmVK7Ri6NuDlTBk+ldd63lv WJXfOpoQVB05TSCl1uzdb6ZpOLVmCKuE8z336zxP8I1bh1tnt0c9sSO2SGZNqCCcwSDf 6M8oTokywX15OwDva17xiNdT51TtDqsAzvUUcLl13NN0KforrPrgrlHPDIdbZAU2VJ0r +GV8fufR3gDo4a9E3rkjBVymIYMX467qTweIbaQMfahYhItZG31u1cGKTPn4OIPAxWVY pXQw== X-Gm-Message-State: ALQs6tDJdxI0Bum7q4eEXprAL7JWFE8gvej+QgGxvK2ynQsyXEruYw80 o6qWXsYPGxyPzPFTMoeqTG/rY/YRZVmzx36lyCS92g== X-Received: by 2002:a9d:1691:: with SMTP id c17-v6mr3869938ote.115.1523466377010; Wed, 11 Apr 2018 10:06:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.73.133 with HTTP; Wed, 11 Apr 2018 10:05:56 -0700 (PDT) In-Reply-To: <152346389240.4030.11187964053014260180.stgit@warthog.procyon.org.uk> References: <152346387861.4030.4408662483445703127.stgit@warthog.procyon.org.uk> <152346389240.4030.11187964053014260180.stgit@warthog.procyon.org.uk> From: Jann Horn Date: Wed, 11 Apr 2018 19:05:56 +0200 Message-ID: Subject: Re: [PATCH 02/24] Add a SysRq option to lift kernel lockdown To: David Howells Cc: Linus Torvalds , linux-man , Linux API , James Morris , kernel list , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 11, 2018 at 6:24 PM, David Howells wrote: > From: Kyle McMartin > > Make an option to provide a sysrq key that will lift the kernel lockdown, > thereby allowing the running kernel image to be accessed and modified. > > On x86 this is triggered with SysRq+x, but this key may not be available on > all arches, so it is set by setting LOCKDOWN_LIFT_KEY in asm/setup.h. > Since this macro must be defined in an arch to be able to use this facility > for that arch, the Kconfig option is restricted to arches that support it. In the current form, this is probably incompatible with USB/IP (which Debian seems to be shipping as a module by default), right? And perhaps also with dummy_hcd (if I understand correctly what it's doing)?