Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp1329994pxv; Fri, 2 Jul 2021 00:44:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxkcefeZbAU8tzSuwPMliJMfcNosPX0CM5VDrm6cBs0nho7GnbillRPr9o5Et5b5sugUGjd X-Received: by 2002:a05:6402:31b3:: with SMTP id dj19mr891268edb.24.1625211846470; Fri, 02 Jul 2021 00:44:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625211846; cv=none; d=google.com; s=arc-20160816; b=UBgx8X/VyGgEHI2BX1n2VaqRatEF13whwq0d/mUpzLIrUXvj8KTu2RsluwZDQbQyr0 QcB351bEzjx3ksAFJ5qiDTPNqCFe0myXf6q28Llk3SntRodqkNP7mGyoaDAk2fTGI8ud gkRy4HrFo8P+OjPva4TuNWDE4qbwRXk5RPEOqHauQOuatt56RWAFJOJbO4+a5GTT7ku/ eszZch81dZJ9pTWjVFykoaixsqxGlcLtJvq0JTUEJNEzYqGYp6kuAv/B4hEEQhh7Jav2 1nT4neStuMxjErtBHr3Ft/UthkJQGIO5VfZqziliFDA3FZRASnoGNBGKSRmanVzQ0bId sbVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=gXjnvG143E0Fjk0k2rb5zfjlIxWZhlvQWOBpqOhetjc=; b=jBdBMiIqDie1xZcFSqvhEzQm9IQOsi8kELT6zry6/qZi7VuT1+376qMTLRSxpajJBJ RWpJ0kG7iAQzf4lioM0GA5aTrpLR/sGEymXQwOd9nABJJ+F3Usl6xCKMjfO8oScq3WEo pAfik6bqyIN9TilsXajrr+1smj9vt12BEODR6mOxL82cKAPzK5FtqGqTH9kPGXmZU4ud H44RjXMmli8VYiuJiXr9zCEFDrSfhui07qqnE31y6fcyJw4Q7tLbOen/wVvrn0p2sQmt zvnS0ZFRbhmJjpXcFyCVXJpAqs6X9J0fFIEYJkAFv6VxccF1AaJYDTarS7QObyfQXu65 FCUw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ig2si2579151ejc.549.2021.07.02.00.43.41; Fri, 02 Jul 2021 00:44:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230123AbhGBHpF (ORCPT + 99 others); Fri, 2 Jul 2021 03:45:05 -0400 Received: from mout.kundenserver.de ([212.227.126.131]:44821 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230023AbhGBHpF (ORCPT ); Fri, 2 Jul 2021 03:45:05 -0400 Received: from [192.168.1.155] ([95.114.43.145]) by mrelayeu.kundenserver.de (mreue011 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MfHQp-1lJ2FH04hX-00gq4d; Fri, 02 Jul 2021 09:42:32 +0200 Subject: Re: LockDown that allows read of /dev/mem ? To: "David F." Cc: linux-kernel References: <99e0ef5a-156f-c8e5-cfc3-7c50e5e15a98@metux.net> From: "Enrico Weigelt, metux IT consult" Message-ID: Date: Fri, 2 Jul 2021 09:42:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: tl Content-Transfer-Encoding: 8bit X-Provags-ID: V03:K1:8RpxmToVlsMwy0Q0JW7pubYjuqWDAw6/R+CE/Kyg3ewTkWvUpsE 8N/ckdq1kwcxxa3E139c5EcGTEjq81m1cmxs4R1ZVuWh5SsA1FZP3y4ruknMzJ212o8p2YN Nj4VztlIE/sWXZFqD0uO7m6LeY1d9sUtC/CzcFrEBjDzNK0ZRH5Z34cs3t9h2XbYkFgIJw/ 57kn/Ui5xuUi/eE+T3PuA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:T5ioelvqV5M=:fXSZs1AoahNEiP88Lzv8ap 3kNGMuOcFj3xHeJybeO9G55ApgFskRmCluOoFpOZq2x1apuHQ1DI1hPBHrywpAjG5HBbQMRPn h0LPdKxotHTCDp9VmvmTn2r/aEsfH1Mj+QfN0eSmB5x+HnVkI1esz8C3U+ezFqoSAQsppnS/O zd0YhqaCELyNpAOCiCFnGzkAzr1p28UON0De7xKQWg2qcH5n3T9tPNUUCJkcx4/l21AASXZG6 ts8ZIAwCQMbH5cpzOmdH0gQ02SvK2THHM06luIfi82eZrJlwYOYC5+EqWm20FniuVhpOLOblw Uc7VzNW3QUKAfPpLIHJ8gNNPQi195UnBqRMK0JqAHtVIZuyZTpVCT1qg0aYSmn1o4ck6OLkGF 1CPIWv0xEuNmrztJnJDcKLREGbuOA1p19dSfG+RMuvVNuBeQsXwvlrGaUii7WhDtWFIPygHbu 62W5NPYXFiG/JYWpwx9iUOOIOvMFhoD/vhVoNEUssjGDyuYmQVJpz57J7l5+kPb1T6uN5qYPQ VPaRdwIDi30BFSthsxsxJ1sUqF7deX9RYC0DRdRrLklWgZwPMzjyjiIz2LQmfYPyXjjSZ7oJd lB1y+4wjbxLr9OPughs4f3ZA5L9aDhBAWOpXMhY+OFHrkENNviXNku2G0ElWaaBhNG5uxo8Ng UFNnpI++rNNHdUHsMGednCr3j6fJi1Oo6sn0eNaAN/z4kqPefFVC6d6saMwZjdc3VNouElkBH D0KRmNh/iZvu1M+WUmd7TPrhiExohi4tYXZqB02yRDYFold8SKjqxUg7M//z9DABNRsZTc0a5 drie9Z7Y2HobdCeiPfLWD9ti/u2nRJtUZmwm3jSZSj4FoH3hhLoqROTJDxaJMhlv9eEjHj9 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21.06.21 17:29, David F. wrote: Hi, > Lockdown required by secure boot and shim signing (prevent acpi > patching), root because it's main use is a utility boot disk. If > lockdown could be forced when secure boot active but not when not > active, that be best, but I'm not seeing that option. The other > option maybe to modify open_port on mem.c to do the secure boot check. > However searching EFI_SECURE_BOOT doesn't exist in 5.10.x as in > efi_enabled(EFI_SECURE_BOOT) - It appears that is some other patch > that is not applied to the base, I do see struct boot_params has a > secure_boot field set, but can I access that from mem.c? If not, is > efi_get_secureboot() function available when /drivers/char/mem.c may > be used? I'd rather try not using /dev/mem at all. What exactly do you really need it for, in that specific case ? --mtx -- --- Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren GPG/PGP-Schlüssel zu. --- Enrico Weigelt, metux IT consult Free software and Linux embedded engineering info@metux.net -- +49-151-27565287