Re: [PATCH 01/16] Add the ability to lock down access to the running kernel image

From: Pavel Machek
Date: Sun Dec 25 2016 - 16:20:37 EST


> allow the running kernel image to be changed including the loading of
> modules that aren't validly signed with a key we recognise, fiddling with
> MSR registers and disallowing hibernation,

"." at EOL.

> @@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
> + bool "Allow the kernel to be 'locked down'"

Locked down, or 'locked down' ? :-).

> + help
> + Allow the kernel to be locked down under certain circumstances, for
> + instance if UEFI secure boot is enabled. Locking down the kernel
> + turns off various features that might otherwise allow access to the
> + kernel image (eg. setting MSR registers).

I'd add something that clarifies it is "running" kernel image.

> + bool

Don't you need to add 'bool "something"' so that user can actually
select this?
(cesky, pictures)

Attachment: signature.asc
Description: Digital signature