On 13.05.2025 17:59, Kevin Lampis wrote:
> On Tue, May 13, 2025 at 3:32 PM Jan Beulich wrote:
>>
>> Well, it's easily possible to catch that error without any extra parsing.
>
> If `lockdown` is not the first argument then we should print a warning
> to tell the user that Xen may have already par
On Tue, May 13, 2025 at 3:32 PM Jan Beulich wrote:
>
> Well, it's easily possible to catch that error without any extra parsing.
If `lockdown` is not the first argument then we should print a warning
to tell the user that Xen may have already parsed some insecure
arguments and lockdown mode will
On 13.05.2025 16:28, Kevin Lampis wrote:
> On Tue, May 13, 2025 at 12:09 PM Jan Beulich wrote:
>> I would like this to at least be considered.
>> I don't like that custom command line parsing very much.
>
> I understand. Parsing code can be risky.
>
> In this case I think the code is small and s
On Tue, May 13, 2025 at 12:09 PM Jan Beulich wrote:
> I would like this to at least be considered.
> I don't like that custom command line parsing very much.
I understand. Parsing code can be risky.
In this case I think the code is small and simple though.
My concern with asking the user to alw
On 13.05.2025 13:07, Kevin Lampis wrote:
> On Tue, May 13, 2025 at 8:00 AM Jan Beulich wrote:
>>
>> Well, there is an alternative: Require the lockdown argument to be absolutely
>> first. (There are further alternatives, but likely less usable.)
>
> Is this your recommendation?
I would like this
On Tue, May 13, 2025 at 8:00 AM Jan Beulich wrote:
>
> Well, there is an alternative: Require the lockdown argument to be absolutely
> first. (There are further alternatives, but likely less usable.)
Is this your recommendation?
On 12.05.2025 21:51, Kevin Lampis wrote:
> On Mon, May 12, 2025 at 11:39 AM Jan Beulich wrote:
>>
>> I can't spot the effect the comment mentions anywhere in this patch. Is the
>> description perhaps lacking some detail? It's rather odd after all to see ...
>>
>> ... such custom token splitting ah
On Mon, May 12, 2025 at 11:39 AM Jan Beulich wrote:
>
> I can't spot the effect the comment mentions anywhere in this patch. Is the
> description perhaps lacking some detail? It's rather odd after all to see ...
>
> ... such custom token splitting ahead of normal command line handling.
If the UEF
On 06.05.2025 18:25, Kevin Lampis wrote:
> --- a/xen/common/kernel.c
> +++ b/xen/common/kernel.c
> @@ -216,6 +216,9 @@ static void __init _cmdline_parse(const char *cmdline)
> */
> void __init cmdline_parse(const char *cmdline)
> {
> +/* Call this early since it affects command-line parsing
On Tue, May 6, 2025 at 5:49 PM Teddy Astie wrote:
> (I can't find the PATCH 4/4)
I apologize. The missing patch will be posted as soon as we can.
> I am not convinced of the efficiency of being able to toggle lockdown
> (including disabling it) mode from command-line.
As you say a malicious use
Hello Kevin,
Le 06/05/2025 à 18:32, Kevin Lampis a écrit :
> The intention of lockdown mode is to prevent attacks from a rogue dom0
> userspace from compromising the system. Lockdown mode can be controlled by a
> Kconfig option and a command-line parameter.
What is the effective effect of such mo
The intention of lockdown mode is to prevent attacks from a rogue dom0
userspace from compromising the system. Lockdown mode can be controlled by a
Kconfig option and a command-line parameter. It is also enabled automatically
when Secure Boot is enabled and it cannot be disabled in that case.
Sign
12 matches
Mail list logo
