Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?

From: Matt Fleming
Date: Mon Jan 30 2017 - 08:57:03 EST

Next message: Stanislaw Gruszka: "Re: [PATCH 08/37] cputime: Convert task/group cputime to nsecs"
Previous message: Alexander Kochetkov: "Re: [PATCH v5 5/8] clocksource/drivers/rockchip_timer: split bc_timer into rk_timer and rk_clock_event_device"
In reply to: David Howells: "What should the default lockdown mode be if the bootloader sentinel triggers sanitization?"
Next in thread: David Howells: "Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 30 Jan, at 12:10:29PM, David Howells wrote:
>
> Matt argues, however, that boot_params->secure_boot should be propagated from
> the bootloader and if the bootloader wants to set it, then we should skip the
> check in efi_main() and go with the bootloader's opinion. This is something
> we probably want to do with kexec() so that the lockdown state is propagated
> there.

Actually what I was arguing for was that if the boot loader wants to
set it and bypass the EFI boot stub, e.g. by going via the legacy
64-bit entry point, startup_64, then we should allow that as well as
setting the flag in the EFI boot stub.

Next message: Stanislaw Gruszka: "Re: [PATCH 08/37] cputime: Convert task/group cputime to nsecs"
Previous message: Alexander Kochetkov: "Re: [PATCH v5 5/8] clocksource/drivers/rockchip_timer: split bc_timer into rk_timer and rk_clock_event_device"
In reply to: David Howells: "What should the default lockdown mode be if the bootloader sentinel triggers sanitization?"
Next in thread: David Howells: "Re: What should the default lockdown mode be if the bootloader sentinel triggers sanitization?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]