Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image

From: Andy Lutomirski
Date: Wed Apr 11 2018 - 22:57:37 EST

Next message: kbuild test robot: "Re: [PATCH 2/5] pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver"
Previous message: Andy Lutomirski: "Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down"
In reply to: Linus Torvalds: "Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image"
Next in thread: David Howells: "[PATCH 02/24] Add a SysRq option to lift kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 11, 2018 at 9:24 AM, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> (*) CONFIG_LOCK_DOWN_KERNEL
>
> This makes lockdown available and applies it to all the points that
> need to be locked down if the mode is set. Lockdown mode can be
> enabled by providing:
>
> lockdown=1

By doing this, you are basically committing to making the
protect-kernel-integrity vs protect-kernel-secrecy split be a
second-class citizen if it gets added.

How about lockdown=integrity_and_secrecy or lockdown=2 if you feel
like using numbers?

Next message: kbuild test robot: "Re: [PATCH 2/5] pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver"
Previous message: Andy Lutomirski: "Re: [PATCH 24/24] debugfs: Restrict debugfs when the kernel is locked down"
In reply to: Linus Torvalds: "Re: [PATCH 01/24] Add the ability to lock down access to the running kernel image"
Next in thread: David Howells: "[PATCH 02/24] Add a SysRq option to lift kernel lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]