On Fri, Jun 9, 2017 at 10:33 AM, Ard Biesheuvel
wrote:
> (+ Kees)
>
> On 6 June 2017 at 09:34, David Howells wrote:
>> Ard Biesheuvel wrote:
>>
>>> and print a subsequent line for every lockdown feature that is enabled,
>>> e.g.,
>>>
>>> lockdown: disabling MSRs
>>> lockdown: disabling hibernat
(+ Kees)
On 6 June 2017 at 09:34, David Howells wrote:
> Ard Biesheuvel wrote:
>
>> and print a subsequent line for every lockdown feature that is enabled, e.g.,
>>
>> lockdown: disabling MSRs
>> lockdown: disabling hibernate support
>
> There's another problem with this idea: the lockdown facil
Ard Biesheuvel wrote:
> and print a subsequent line for every lockdown feature that is enabled, e.g.,
>
> lockdown: disabling MSRs
> lockdown: disabling hibernate support
There's another problem with this idea: the lockdown facility is passive - it
doesn't go looking for things to lock down; ra
On 31 May 2017 at 13:33, David Howells wrote:
> Ard Biesheuvel wrote:
>
>> No, I am fine with keeping this as a single series. I don't want
>> anything under drivers/efi to imply policy regarding lockdown. Kernel
>> lockdown should be a feature that lives somewhere else, and which
>> contains a C
Ard Biesheuvel wrote:
> No, I am fine with keeping this as a single series. I don't want
> anything under drivers/efi to imply policy regarding lockdown. Kernel
> lockdown should be a feature that lives somewhere else, and which
> contains a CONFIG_ option that implies 'lockdown is enabled by def
On 31 May 2017 at 09:23, David Howells wrote:
> Ard Biesheuvel wrote:
>
>> - The series conflates 'UEFI secure boot support' with 'kernel lock
>> down support'. I think this has been brought up before, but I really
>> think we should have a cleaner separation between the feature (locking
>> down
Ard Biesheuvel wrote:
> - The series conflates 'UEFI secure boot support' with 'kernel lock
> down support'. I think this has been brought up before, but I really
> think we should have a cleaner separation between the feature (locking
> down various bits of the kernel if lockdown is in effect) f
On 24 May 2017 at 14:45, David Howells wrote:
>
> Here's a set of patches to institute a "locked-down mode" in the kernel and
> to set that mode if the kernel is booted in secure-boot mode. This can be
> enabled with CONFIG_LOCK_DOWN_KERNEL. If a kernel is locked down, the
> lockdown can be lift
Here's a set of patches to institute a "locked-down mode" in the kernel and
to set that mode if the kernel is booted in secure-boot mode. This can be
enabled with CONFIG_LOCK_DOWN_KERNEL. If a kernel is locked down, the
lockdown can be lifted by typing SysRq+x on a keyboard attached to the
machi
9 matches
Mail list logo
