Re: [PATCH 01/16] Add the ability to lock down access to the running kernel image
From: Pavel Machek
Date: Sun Dec 25 2016 - 16:20:37 EST
> allow the running kernel image to be changed including the loading of
> modules that aren't validly signed with a key we recognise, fiddling with
> MSR registers and disallowing hibernation,
"." at EOL.
> @@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
> +config LOCK_DOWN_KERNEL
> + bool "Allow the kernel to be 'locked down'"
Locked down, or 'locked down' ? :-).
> + help
> + Allow the kernel to be locked down under certain circumstances, for
> + instance if UEFI secure boot is enabled. Locking down the kernel
> + turns off various features that might otherwise allow access to the
> + kernel image (eg. setting MSR registers).
I'd add something that clarifies it is "running" kernel image.
> +config ALLOW_LOCKDOWN_LIFT
> + bool
Don't you need to add 'bool "something"' so that user can actually
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Description: Digital signature