Re: [PATCH 01/16] Add the ability to lock down access to the running kernel image

From: Pavel Machek
Date: Sun Dec 25 2016 - 16:20:37 EST

Next message: Pavel Machek: "Re: [PATCH 1/4] serial: core: Add LED trigger support"
Previous message: kbuild test robot: "Re: [PATCHv4 8/8] Fixes style issues due to mis-aligned carry over lines"
Next in thread: David Howells: "Re: [PATCH 01/16] Add the ability to lock down access to the running kernel image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi!

> allow the running kernel image to be changed including the loading of
> modules that aren't validly signed with a key we recognise, fiddling with
> MSR registers and disallowing hibernation,

"." at EOL.

> @@ -158,6 +158,21 @@ config HARDENED_USERCOPY_PAGESPAN
> been removed. This config is intended to be used only while
> trying to find such users.
>
> +config LOCK_DOWN_KERNEL
> + bool "Allow the kernel to be 'locked down'"

Locked down, or 'locked down' ? :-).

> + help
> + Allow the kernel to be locked down under certain circumstances, for
> + instance if UEFI secure boot is enabled. Locking down the kernel
> + turns off various features that might otherwise allow access to the
> + kernel image (eg. setting MSR registers).

I'd add something that clarifies it is "running" kernel image.

> +config ALLOW_LOCKDOWN_LIFT
> + bool

Don't you need to add 'bool "something"' so that user can actually
select this?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachment: signature.asc
Description: Digital signature

Next message: Pavel Machek: "Re: [PATCH 1/4] serial: core: Add LED trigger support"
Previous message: kbuild test robot: "Re: [PATCHv4 8/8] Fixes style issues due to mis-aligned carry over lines"
Next in thread: David Howells: "Re: [PATCH 01/16] Add the ability to lock down access to the running kernel image"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]