subject:"\[Bug 1855668\] patch 1\/2"

[Bug 1855668] patch 1/2

2020-04-03 Thread bugproxy

--- Comment on attachment From daniel.axte...@ibm.com 2020-04-03 03:05 
EDT---


Hi Seth,

Thanks, that was extremely helpful.

Nayna noticed that I was overly keen to lock things down - I should only
lock down in Secure mode: if a system is in Trusted mode only I
shouldn't lock it down. This now matches the UEFI behaviour: (AFAICT)
measurements are made unconditionally but lockdown only occurs in Secure
Boot mode.

I have updated patch 1/2.

Kind regards,
Daniel

** Attachment added: "patch 1/2"
   
https://bugs.launchpad.net/bugs/1855668/+attachment/5345455/+files/0001-UBUNTU-SAUCE-lockdown-powerpc-lock-down-kernel-in-se.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668

Title:
  lockdown on power

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1855668] patch 1/2

2020-04-02 Thread bugproxy

--- Comment on attachment From daniel.axte...@ibm.com 2020-04-02 08:35 
EDT---


Hi,

Thanks Nayna for the reminder to look at this again.

AFAICT, Canonical's Focal kernel sets up its non-upstreamed 
secure-boot-enforces-lockdown support in the following set of commits:
(edited down from the list of all commits with UBUNTU: and lockdown in the 
title.)

40fc208c8aae UBUNTU: SAUCE: (lockdown) security: lockdown: expose a hook to 
lock the kernel down
8309e3e2a4c2 UBUNTU: SAUCE: (lockdown) efi: Add an EFI_SECURE_BOOT flag to 
indicate secure boot mode
f8d21cba9d0e UBUNTU: SAUCE: (lockdown) efi: Lock down the kernel if booted in 
secure boot mode
36ca37871ad2 UBUNTU: SAUCE: (lockdown) arm64: Allow locking down the kernel 
under EFI secure boot
7bfea7ace0ff UBUNTU: SAUCE: (lockdown) s390/ipl: lockdown kernel when booted 
secure
d0b71cb9b8a2 UBUNTU: [Config] Enable lockdown under secure boot
ef7c6600bb3e UBUNTU: SAUCE: (lockdown) Reduce lockdown level to INTEGRITY for 
secure boot

This shows a secure-boot-enforces-lockdown patch for x86, arm64 and
s390. I think we also need a powerpc one.

I've written a short 2 patch series and attached it. I also needed to 
cherry-pick from upstream:
commit 1a8916ee3ac2 ("powerpc: Detect the secure boot mode of the system")
commit 2702809a4a1a ("powerpc: Detect the trusted boot state of the system")

I've only been able to build-test as I only have an unsecured system.
Nayna, could you try signing and booting the kernel on system with
secure boot, and see if it comes up in lockdown=integrity mode? I'll
send you the kernel via internal channels.

Unfortunately they're against focal/master not focal/master-next because
I had trouble with the zfs stuff in master-next, but it only affects the
config patch and I'm not sure I did that right anyway...

Kind regards,
Daniel

** Attachment added: "patch 1/2"
   
https://bugs.launchpad.net/bugs/1855668/+attachment/5344792/+files/0001-UBUNTU-SAUCE-lockdown-powerpc-lock-down-kernel-in-se.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855668

Title:
  lockdown on power

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-power-systems/+bug/1855668/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1855668] patch 1/2

[Bug 1855668] patch 1/2

2 matches

Site Navigation

Mail list logo

Footer information