vgoyal wrote:
> [...]
>> Have you considered a non-cryptographic solution, like a physical
>> presence check to (temporarily) disable Secure Boot so that the
>> kexec restriction no longer applies? [...]
>
> I think kyle has a patch which will allow disabling secureboot
> restriction if one is o
On Mon, Jul 22, 2013 at 02:54:41PM -0400, Vivek Goyal wrote:
> On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote:
>
> [..]
> > Have you considered a non-cryptographic solution, like a physical
> > presence check to (temporarily) disable Secure Boot so that the
> > kexec restriction no
On Fri, Jul 19, 2013 at 06:08:48PM +0200, Florian Weimer wrote:
[..]
> Have you considered a non-cryptographic solution, like a physical
> presence check to (temporarily) disable Secure Boot so that the
> kexec restriction no longer applies? This could be a fallback
> option if the original plan
On Thu, Jul 18, 2013 at 08:51:36PM +0200, Miloslav Trmač wrote:
> On Thu, Jul 11, 2013 at 1:40 PM, Jaroslav Reznik wrote:
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
>
> > == Detailed description ==
> >
On 07/11/2013 06:03 PM, Vivek Goyal wrote:
It is but it implements stuff which is needed to meet TCB requirements.
Current implementation is nowhere near to require secureboot requirements.
For example, executables are not locked down in memory. That means
after signature verification, if execu
On Thu, Jul 18, 2013 at 08:51:36PM +0200, Miloslav Trmač wrote:
> On Thu, Jul 11, 2013 at 1:40 PM, Jaroslav Reznik wrote:
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
>
> > == Detailed description ==
> >
On Thu, Jul 11, 2013 at 1:40 PM, Jaroslav Reznik wrote:
> = Proposed System Wide Change: Enable kdump on secureboot machines =
> https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
> == Detailed description ==
> /sbin/kexec prepares a binary blob, called purgatory. This code runs at
> pr
On Thu, Jul 11, 2013 at 04:46:42PM -0600, Stephen John Smoogen wrote:
[..]
> > Anyway, USB case is interesting. I have to admin I have never tried
> > dumping to USB disk either. But in theory it should work.
> >
> >
> I tried USB direct dump and USB ext3. kdump said it could see the USB disk
> in
On Thu, Jul 11, 2013 at 02:09:54PM -0700, Adam Williamson wrote:
> On Thu, 2013-07-11 at 14:13 -0400, Vivek Goyal wrote:
>
> > I think this is a wrong impression. Kdump should work in Fedora. For a
> > long time I got the feedback that fedora users don't care about kdump
> > working. But I think k
On Thu, Jul 11, 2013 at 04:46:42PM -0600, Stephen John Smoogen wrote:
> Sadly the laptop is USB only so I am not sure if this will be possible. I
> will defer to someone with a lot more hardware knowledge but I was under
> the assumption that unless I had a UART any console hooked up would really
On 11 July 2013 13:10, Vivek Goyal wrote:
> On Thu, Jul 11, 2013 at 12:42:16PM -0600, Stephen John Smoogen wrote:
>
> [..]
> > > > Issues I ran into was:
> > > >
> > > > 1) kdump needs to write to an unencrypted disk space. I tried a USB
> disk
> > > > and various other places but the best abilit
On Thu, 2013-07-11 at 14:13 -0400, Vivek Goyal wrote:
> I think this is a wrong impression. Kdump should work in Fedora. For a
> long time I got the feedback that fedora users don't care about kdump
> working. But I think kdump is an important debugging facility and is
> very useful for enterprise
On Thu, Jul 11, 2013 at 08:22:17PM +0100, Matthew Garrett wrote:
> On Thu, Jul 11, 2013 at 03:10:07PM -0400, Vivek Goyal wrote:
>
> > We will need a serial console to debug kdump issues. I am not expert
> > enough to figure out how to reset graphical console without going
> > through the bios. Is
On Thu, Jul 11, 2013 at 03:10:07PM -0400, Vivek Goyal wrote:
> We will need a serial console to debug kdump issues. I am not expert
> enough to figure out how to reset graphical console without going
> through the bios. Is there any reliable way to do that.
Make sure the kdump kernel has graphics
On Thu, Jul 11, 2013 at 12:42:16PM -0600, Stephen John Smoogen wrote:
[..]
> > > Issues I ran into was:
> > >
> > > 1) kdump needs to write to an unencrypted disk space. I tried a USB disk
> > > and various other places but the best ability I got was reinstalling the
> > > laptop and making a /var
On Thu, Jul 11, 2013 at 02:13:05PM -0400, Vivek Goyal wrote:
[..]
> how do we get kdump to be more useful?
>
> I think testing and bug reporting will help. I would love to have kdump
> enabled by default in Fedora. But it eats around 128MB of memory by
> default which keeps sitting and not used.
On Thu, Jul 11, 2013 at 11:58:56AM -0600, Stephen John Smoogen wrote:
> On 11 July 2013 05:40, Jaroslav Reznik wrote:
>
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
> >
> > Change owner(s): Vivek Goyal
>
On 11 July 2013 05:40, Jaroslav Reznik wrote:
> = Proposed System Wide Change: Enable kdump on secureboot machines =
> https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
>
> Change owner(s): Vivek Goyal
>
> Currently kexec/kdump is disabled on machines with secureboot enabled. This
> f
On Thu, Jul 11, 2013 at 11:45:34AM -0400, Steve Grubb wrote:
> On Thursday, July 11, 2013 10:33:05 AM Vivek Goyal wrote:
> > Secondly, there are disagreements upstream w.r.t how locking down
> > executable should happen. IMA folks want some functionality behind
> > security hooks (as opposed to wha
On Thu, Jul 11, 2013 at 05:19:58PM +0200, Florian Weimer wrote:
> On 07/11/2013 04:33 PM, Vivek Goyal wrote:
>
> >>I don't think it would make sense to add more and more
> >>Fedora-specific patches which implement security functionality. I
> >>don't want Fedora to become the next Android.
> >
> >
On Thursday, July 11, 2013 10:33:05 AM Vivek Goyal wrote:
> Secondly, there are disagreements upstream w.r.t how locking down
> executable should happen. IMA folks want some functionality behind
> security hooks (as opposed to what I have done). So I am expecting
> that once patches do get merged u
On 07/11/2013 04:33 PM, Vivek Goyal wrote:
I don't think it would make sense to add more and more
Fedora-specific patches which implement security functionality. I
don't want Fedora to become the next Android.
I don't see those patches going upstream in near term. First of all
base secureboot
On Thu, Jul 11, 2013 at 10:53:42AM -0400, Bill Nottingham wrote:
> Jaroslav Reznik (jrez...@redhat.com) said:
> > = Proposed System Wide Change: Enable kdump on secureboot machines =
> > https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
> >
> > Change owner(s): Vivek Goyal
> >
> > Cu
Jaroslav Reznik (jrez...@redhat.com) said:
> = Proposed System Wide Change: Enable kdump on secureboot machines =
> https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
>
> Change owner(s): Vivek Goyal
>
> Currently kexec/kdump is disabled on machines with secureboot enabled. This
> fe
On Thu, Jul 11, 2013 at 03:57:38PM +0200, Florian Weimer wrote:
> On 07/11/2013 01:40 PM, Jaroslav Reznik wrote:
> >=== Build and ship ima-evm-utils package ===
> >/sbin/kexec will be signed by evmctl. This utility will put an xattr
> >security.ima on /sbin/kexec file and kernel will leverage IMA i
On 07/11/2013 01:40 PM, Jaroslav Reznik wrote:
=== Build and ship ima-evm-utils package ===
/sbin/kexec will be signed by evmctl. This utility will put an xattr
security.ima on /sbin/kexec file and kernel will leverage IMA infrastructure in
kernel to verify signature of /sbin/kexec upon execution
= Proposed System Wide Change: Enable kdump on secureboot machines =
https://fedoraproject.org/wiki/Changes/Kdump_with_secureboot
Change owner(s): Vivek Goyal
Currently kexec/kdump is disabled on machines with secureboot enabled. This
feature aims to enable kexec/kdump on such machines.
== Det
27 matches
Mail list logo
