Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1196331ybi; Thu, 30 May 2019 13:13:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqxZqjIzrMcQxvSviW3n8C3EVGYSU/9hUHBmHgk15/6sBj9RECULfU9FoFWXD1T5x0bIfCfR X-Received: by 2002:a63:10d:: with SMTP id 13mr5258030pgb.176.1559247201104; Thu, 30 May 2019 13:13:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559247201; cv=none; d=google.com; s=arc-20160816; b=ir4m0WXM0uHiMG8w1EDORiYUsFCRFargo0mQdWKbu6CWLVJYxBZst4YYiBgJSFOS5f JIDmvtW6PmYJK5S8boN7Kktvuw2UbbxFz7XzGC011dE2hdyOV73sZtCT6F7jyESAbJQR 8WS3UDiCPa14y2ZH9prRTYbJSGhytApkZpS5odQXhVVVYER8aR8YSLbnG1Nryj2by4gs 4tNcQTsUMpK/X9N5BJPWs3CQ/AzeQZPEf3sXalNS8goUoYXUN32DnXt7iroXj8w9NtRP SBcqyIMBibV3eC/JL0mxDFHCULpunoShoweTvmhs2FLRViTe1dedUDRw7wo/x13bBLlY UlcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=X15xP24OTyltwz3bmYYH1oauE1TIMgVIpu/enJ8jop0=; b=vInO0qD491lj+yIJwLDhlTLDTfgA54MB7DIrWLC9Q7UwMbiKC3iICZq2N0YHmpiPZ2 jPxvL56l0U99Oo1Qz/U9kguj9ZIZQG5JE75sK9m1sZyB2+9Jn92TQEEIEBCQhCAZGldA g2NsDA4VxBQrI59YkIahKfYSbwKy61UpiG8xSU+qvdjDmBhL94XYukiyvQKXmBYmZi0P OyilScZ2KV8ZJZL9Wm7SInhUZ/8o53m0FEPXyDabguC1LP9Z7f5n7b6qhwx4+EB48Br2 3pei5gczua8lQFt5MPOXXfOzP2lrzacHadDUC3r/y9gA3cV75mtO8x9oezbxhlbv4apt vN4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si3817936pgh.192.2019.05.30.13.13.03; Thu, 30 May 2019 13:13:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726415AbfE3UL5 (ORCPT + 99 others); Thu, 30 May 2019 16:11:57 -0400 Received: from namei.org ([65.99.196.166]:35500 "EHLO namei.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725961AbfE3UL5 (ORCPT ); Thu, 30 May 2019 16:11:57 -0400 Received: from localhost (localhost [127.0.0.1]) by namei.org (8.14.4/8.14.4) with ESMTP id x4UKBiW1000760; Thu, 30 May 2019 20:11:44 GMT Date: Fri, 31 May 2019 06:11:44 +1000 (AEST) From: James Morris To: Ke Wu cc: Kees Cook , Jonathan Corbet , "Serge E. Hallyn" , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v2] Allow to exclude specific file types in LoadPin In-Reply-To: <20190530192208.99773-1-mikewu@google.com> Message-ID: References: <20190529224350.6460-1-mikewu@google.com> <20190530192208.99773-1-mikewu@google.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 30 May 2019, Ke Wu wrote: > Linux kernel already provide MODULE_SIG and KEXEC_VERIFY_SIG to > make sure loaded kernel module and kernel image are trusted. This > patch adds a kernel command line option "loadpin.exclude" which > allows to exclude specific file types from LoadPin. This is useful > when people want to use different mechanisms to verify module and > kernel image while still use LoadPin to protect the integrity of > other files kernel loads. > > Signed-off-by: Ke Wu > --- > Changelog since v1: > - Mark ignore_read_file_id with __ro_after_init. > - Mark parse_exclude() with __init. > - Use ARRAY_SIZE(ignore_read_file_id) instead of READING_MAX_ID. Looks good! Reviewed-by: James Morris -- James Morris