Re: LockDown that allows read of /dev/mem ?

From: Enrico Weigelt, metux IT consult
Date: Fri Jul 02 2021 - 03:42:59 EST

Next message: Christoph Hellwig: "Re: [PATCH] mmc: block: Differentiate busy and non-TRAN state"
Previous message: Mauro Carvalho Chehab: "[PATCH v11 2/8] regulator: hi6421v600-regulator: add a missing dot at copyright"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 21.06.21 17:29, David F. wrote:

Hi,

Lockdown required by secure boot and shim signing (prevent acpi
patching), root because it's main use is a utility boot disk. If
lockdown could be forced when secure boot active but not when not
active, that be best, but I'm not seeing that option. The other
option maybe to modify open_port on mem.c to do the secure boot check.
However searching EFI_SECURE_BOOT doesn't exist in 5.10.x as in
efi_enabled(EFI_SECURE_BOOT) - It appears that is some other patch
that is not applied to the base, I do see struct boot_params has a
secure_boot field set, but can I access that from mem.c? If not, is
efi_get_secureboot() function available when /drivers/char/mem.c may
be used?

I'd rather try not using /dev/mem at all.

What exactly do you really need it for, in that specific case ?

--mtx

--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info@xxxxxxxxx -- +49-151-27565287

Next message: Christoph Hellwig: "Re: [PATCH] mmc: block: Differentiate busy and non-TRAN state"
Previous message: Mauro Carvalho Chehab: "[PATCH v11 2/8] regulator: hi6421v600-regulator: add a missing dot at copyright"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]