Hi Philipp
On Tue, 29 Nov 2022 at 15:32, Steven Rostedt wrote:
>
> On Tue, 29 Nov 2022 14:44:50 +0100
> Philipp Rudo wrote:
>
> > An alternative approach and sort of compromise I see is to convert
> > kexec_load_disabled from a simple on/off switch to a counter on how
> > often a kexec load can
On Tue, 29 Nov 2022 14:44:50 +0100
Philipp Rudo wrote:
> An alternative approach and sort of compromise I see is to convert
> kexec_load_disabled from a simple on/off switch to a counter on how
> often a kexec load can be made (in practice a tristate on/off/one-shot
> should be sufficient).
Hi Steven,
On Mon, 28 Nov 2022 11:42:00 -0500
Steven Rostedt wrote:
> On Thu, 24 Nov 2022 16:01:15 +0100
> Philipp Rudo wrote:
>
> > No, I think the implementation is fine. I'm currently only struggling
> > to understand what problem kexec_reboot_disabled solves that cannot be
> > solved by
On Mon, 28 Nov 2022 17:28:55 +0100
Philipp Rudo wrote:
> To be honest I don't think we make a progress here at the moment. I
> would like to hear from others what they think about this.
Not sure if you missed my reply.
https://lore.kernel.org/all/20221128114200.72b3e...@gandalf.local.home/
On Thu, 24 Nov 2022 16:01:15 +0100
Philipp Rudo wrote:
> No, I think the implementation is fine. I'm currently only struggling
> to understand what problem kexec_reboot_disabled solves that cannot be
> solved by kexec_load_disabled.
Hi Philipp,
Thanks for working with us on this.
Let me try
Hi Ricardo,
On Thu, 24 Nov 2022 23:32:34 +0100
Ricardo Ribalda wrote:
> Hi Philipp
>
>
> On Thu, 24 Nov 2022 at 16:01, Philipp Rudo wrote:
> >
> > On Thu, 24 Nov 2022 13:52:58 +0100
> > Ricardo Ribalda wrote:
> >
> > > On Thu, 24 Nov 2022 at 12:40, Philipp Rudo wrote:
> > > >
> > > >
Hi Philipp
On Thu, 24 Nov 2022 at 16:01, Philipp Rudo wrote:
>
> On Thu, 24 Nov 2022 13:52:58 +0100
> Ricardo Ribalda wrote:
>
> > On Thu, 24 Nov 2022 at 12:40, Philipp Rudo wrote:
> > >
> > > Hi Ricardo,
> > >
> > > On Wed, 23 Nov 2022 09:58:08 +0100
> > > Ricardo Ribalda wrote:
> > >
> > >
On Thu, 24 Nov 2022 13:52:58 +0100
Ricardo Ribalda wrote:
> On Thu, 24 Nov 2022 at 12:40, Philipp Rudo wrote:
> >
> > Hi Ricardo,
> >
> > On Wed, 23 Nov 2022 09:58:08 +0100
> > Ricardo Ribalda wrote:
> >
> > > Hi Philipp
> > >
> > > Thanks for your review.
> > >
> > > My scenario is a
On Thu, 24 Nov 2022 at 12:40, Philipp Rudo wrote:
>
> Hi Ricardo,
>
> On Wed, 23 Nov 2022 09:58:08 +0100
> Ricardo Ribalda wrote:
>
> > Hi Philipp
> >
> > Thanks for your review.
> >
> > My scenario is a trusted system, where even if you are root, your
> > access to the system is very limited.
>
Hi Ricardo,
On Wed, 23 Nov 2022 09:58:08 +0100
Ricardo Ribalda wrote:
> Hi Philipp
>
> Thanks for your review.
>
> My scenario is a trusted system, where even if you are root, your
> access to the system is very limited.
>
> Let's assume LOADPIN and verity are enabled.
My point is that on
On 11/14/22 at 02:18pm, Ricardo Ribalda wrote:
> Create a new toogle that disables LINUX_REBOOT_CMD_KEXEC, reducing the
~ toggle
> attack surface to a system.
>
> Without this toogle, an attacker can only reboot into a different kernel
~~s/without/with/
> if they can create a
Hi Philipp
Thanks for your review.
My scenario is a trusted system, where even if you are root, your
access to the system is very limited.
Let's assume LOADPIN and verity are enabled.
On Mon, 21 Nov 2022 at 15:10, Philipp Rudo wrote:
>
> Hi Ricardo,
>
> On Thu, 17 Nov 2022 16:15:07 +0100
>
Hi Ricardo,
On Thu, 17 Nov 2022 16:15:07 +0100
Ricardo Ribalda wrote:
> Hi Philipp
>
> Thanks for your review!
happy to help.
>
> On Thu, 17 Nov 2022 at 16:07, Philipp Rudo wrote:
> >
> > Hi Ricardo,
> >
> > all in all I think this patch makes sense. However, there is one point
> > I don't
Hi Philipp
Thanks for your review!
On Thu, 17 Nov 2022 at 16:07, Philipp Rudo wrote:
>
> Hi Ricardo,
>
> all in all I think this patch makes sense. However, there is one point
> I don't like...
>
> On Mon, 14 Nov 2022 14:18:39 +0100
> Ricardo Ribalda wrote:
>
> > Create a new toogle that
Hi Ricardo,
all in all I think this patch makes sense. However, there is one point
I don't like...
On Mon, 14 Nov 2022 14:18:39 +0100
Ricardo Ribalda wrote:
> Create a new toogle that disables LINUX_REBOOT_CMD_KEXEC, reducing the
> attack surface to a system.
>
> Without this toogle, an
Create a new toogle that disables LINUX_REBOOT_CMD_KEXEC, reducing the
attack surface to a system.
Without this toogle, an attacker can only reboot into a different kernel
if they can create a panic().
Signed-off-by: Ricardo Ribalda
diff --git a/Documentation/admin-guide/sysctl/kernel.rst
16 matches
Mail list logo
