Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2018-04-03 Thread Luis R. Rodriguez
On Tue, Apr 3, 2018 at 9:56 AM, Luis R. Rodriguez wrote: > The biggest thing which has changed since then is that we decided to *not* > support or streamline generic firmware signing (non-IMA) for now for a few > reasons [0] [1] which are important to re-iterate as these are easy to forget, > and

Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2018-04-03 Thread Luis R. Rodriguez
On Mon, Apr 02, 2018 at 05:42:22PM -0700, Andy Lutomirski wrote: > On 11/10/2017 01:02 PM, Mimi Zohar wrote: > > If the kernel is locked down and IMA-appraisal is not enabled, prevent > > loading of unsigned firmware. > > > diff --git a/security/fw_lockdown/Kconfig b/security/fw_lockdown/Kconfig >

Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2018-04-02 Thread Andy Lutomirski
On 11/10/2017 01:02 PM, Mimi Zohar wrote: If the kernel is locked down and IMA-appraisal is not enabled, prevent loading of unsigned firmware. diff --git a/security/fw_lockdown/Kconfig b/security/fw_lockdown/Kconfig new file mode 100644 index ..d6aef6ce8fee --- /dev/null +++ b/secu

Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-11 Thread Mimi Zohar
On Fri, 2017-11-10 at 23:39 +0100, Luis R. Rodriguez wrote: > On Fri, Nov 10, 2017 at 04:02:55PM -0500, Mimi Zohar wrote: > > If the kernel is locked down and IMA-appraisal is not enabled, prevent > > loading of unsigned firmware. > > > > Signed-off-by: Mimi Zohar > > --- > > > > Changelog v1: >

Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Casey Schaufler
On 11/10/2017 1:02 PM, Mimi Zohar wrote: > If the kernel is locked down and IMA-appraisal is not enabled, prevent > loading of unsigned firmware. > > Signed-off-by: Mimi Zohar > --- > > Changelog v1: > - Lots of minor changes Kconfig, Makefile, fw_lsm.c for such a small patch > > security/Kconfig

Re: [RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Luis R. Rodriguez
On Fri, Nov 10, 2017 at 04:02:55PM -0500, Mimi Zohar wrote: > If the kernel is locked down and IMA-appraisal is not enabled, prevent > loading of unsigned firmware. > > Signed-off-by: Mimi Zohar > --- > > Changelog v1: > - Lots of minor changes Kconfig, Makefile, fw_lsm.c for such a small patch

[RFC PATCH v1] fw_lockdown: new micro LSM module to prevent loading unsigned firmware

2017-11-10 Thread Mimi Zohar
If the kernel is locked down and IMA-appraisal is not enabled, prevent loading of unsigned firmware. Signed-off-by: Mimi Zohar --- Changelog v1: - Lots of minor changes Kconfig, Makefile, fw_lsm.c for such a small patch security/Kconfig | 1 + security/Makefile | 2 +