When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
From: Josh Boyer
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is
enabled.
This will be used by the SysRq+x handler, registered by the x86 arch, to find
out whether
These patches provide a facility by which a variety of avenues by which
userspace can feasibly modify the running kernel image can be locked down.
These include:
(*) No unsigned modules and no modules for which can't validate the
signature.
(*) No use of ioperm(), iopl() and no writing
Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
allow the running kernel image to be changed including the loading of
modules that aren't validly signed with a key we recognise, fiddling with
MSR
These patches provide a facility by which a variety of avenues by which
userspace can feasibly modify the running kernel image can be locked down.
These include:
(*) No unsigned modules and no modules for which can't validate the
signature.
(*) No use of ioperm(), iopl() and no writing
From: Kyle McMartin
Make sysrq+x exit secure boot mode on x86_64, thereby allowing the running
kernel image to be modified. This lifts the lockdown.
Signed-off-by: Kyle McMartin
Signed-off-by: David Howells
---
arch/x86/Kconfig
From: Matthew Garrett
kexec permits the loading and execution of arbitrary code in ring 0, which
is something that lock-down is meant to prevent. It makes sense to disable
kexec in this situation.
This does not affect kexec_file_load() which can check for a signature
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
From: Josh Boyer
There is currently no way to verify the resume image when returning
from hibernate. This might compromise the signed modules trust model,
so until we can work with signed hibernate images we disable it when the
kernel is locked down.
Signed-off-by:
在 2017-04-05 10:27,Chen-Yu Tsai 写道:
On Wed, Apr 5, 2017 at 3:53 AM, Icenowy Zheng wrote:
在 2017年04月05日 03:28, Sean Paul 写道:
On Thu, Mar 30, 2017 at 03:46:06AM +0800, Icenowy Zheng wrote:
As we are going to add support for the Allwinner DE2 Mixer in
sun4i-drm
driver, we
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
s, however, there for future
use.
Further note that the hwtype can also be used for grepping.
The patches can be found here also:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=hwparam
at tag:
hwparam-20170405
David
---
David Howells (38):
Annotate mod
Provided an annotation for module parameters that specify hardware
parameters (such as io ports, iomem addresses, irqs, dma channels, fixed
dma buffers and other types).
This will enable such parameters to be locked down in the core parameter
parser for secure boot support.
I've also included
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
On Wed, Apr 05, 2017 at 05:06:19PM +, Ghannam, Yazen wrote:
> Checking if we have a valid deferred error. Since we call __log_error() on
> thresholding interrupts too we would need to tell it which handler is calling
> it to do the correct check. This is what we currently do.
That's why I
On 05/04/17 18:08, Ard Biesheuvel wrote:
> Hoi Matthias!
>
> On 5 April 2017 at 17:56, Matthias Kaehlcke wrote:
>> From: Greg Hackmann
>>
>> The current definition of ASM_EXPORT doesn't work properly with clang,
>> according to
The X-Powers AXP20X and AXP22X PMICs can have a battery as power supply.
This patch adds the AXP20X/AXP22X battery driver to the MFD cells of the
AXP209, AXP221 and AXP223 MFD.
Signed-off-by: Quentin Schulz
Acked-for-MFD-by: Lee Jones
The patch
regulator: DT: Add settling time property for non-linear voltage change
has been applied to the regulator tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime
Adds a new endpoint function driver (to program the virtual test device)
making use of the EP-core library.
Signed-off-by: Kishon Vijay Abraham I
Signed-off-by: Bjorn Helgaas
---
drivers/pci/endpoint/Kconfig | 2 +
Hi,
On Wed, Apr 5, 2017 at 2:01 AM, Icenowy Zheng wrote:
> AXP803 PMIC also have a series of regulators (DCDCs and LDOs)
> controllable via I2C/RSB bus.
>
> Add support for them.
>
> Signed-off-by: Icenowy Zheng
> ---
> drivers/regulator/axp20x-regulator.c |
Introduce a new EP core layer in order to support endpoint functions in
linux kernel. This comprises the EPC library (Endpoint Controller Library)
and EPF library (Endpoint Function Library). EPC library implements
functions specific to an endpoint controller and EPF library implements
functions
Add Documentation for pci-endpoint-test driver.
Signed-off-by: Kishon Vijay Abraham I
Signed-off-by: Bjorn Helgaas
---
Documentation/misc-devices/pci-endpoint-test.txt | 35
1 file changed, 35 insertions(+)
create mode 100644
On 04/04/2017 02:20 PM, Rob Herring wrote:
On Tue, Apr 4, 2017 at 2:28 AM, Ludovic BARRE wrote:
Hi Rob
thanks for review
my comments below
br
Ludo
On 04/03/2017 06:57 PM, Rob Herring wrote:
On Fri, Mar 31, 2017 at 07:02:03PM +0200, Ludovic Barre wrote:
From: Ludovic
On Wed, Apr 5, 2017 at 9:08 AM, Oleg Nesterov wrote:
> On 04/03, Eric W. Biederman wrote:
>>
>> You have asked why I have problems with your patch and so I am going to
>> try to explain. Partly I want to see a clean set of patches that we
>> can merge into Linus's tree before we
git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git
for-next
Head SHA1: 696ced4fb1d76802f864d8848aa4716633f83c17
Alban Crequy (1):
tracing/kprobes: expose maxactive for kretprobe in kprobe_events
Steven Rostedt (VMware) (6):
ftrace: Clean up __seq_open_private()
From: "Steven Rostedt (VMware)"
If all functions are enabled, there's a comment displayed in the file to
denote that:
# cd /sys/kernel/debug/tracing
# cat set_ftrace_filter
all functions enabled
If a function trigger is set, those are displayed as well:
#
From: "Steven Rostedt (VMware)"
The return status check of __seq_open_private() is rather strange:
iter = __seq_open_private();
if (iter) {
/* do stuff */
}
return iter ? 0 : -ENOMEM;
It makes much more sense to do the
From: "Steven Rostedt (VMware)"
The loop in t_start() of calling t_next() will call t_hash_start() if the
pos is beyond the functions and enters the hash items. There's no reason to
check if p is NULL and call t_hash_start(), as that would be redundant.
Signed-off-by:
From: "Steven Rostedt (VMware)"
Instead of testing if the hash to use is the filter_hash or the notrace_hash
at each iteration, do the test at open, and set the iter->hash to point to
the corresponding filter or notrace hash. Then use that directly instead of
testing which
On 04/04/17 19:06, Christopher Bostic wrote:
> From: Chris Bostic
>
> Create a simple SCOM engine device driver that reads and writes
> its control registers via an FSI bus.
>
> Includes changes from Edward A. James .
>
> Signed-off-by: Chris
On Wed 05 Apr 05:10 PDT 2017, Jonathan Neusch?fer wrote:
> Don't use size if info indicates an error condition. Previously a
> non-ENOENT error (such as -EPROBE_DEFER) would lead to size being used
> even though it hadn't necessarily been initialized in qcom_smem_get.
>
> Don't print an error
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules
Provide a single call to allow kernel code to determine whether the system
should be locked down, thereby disallowing various accesses that might
allow the running kernel image to be changed including the loading of
modules that aren't validly signed with a key we recognise, fiddling with
MSR
From: Josh Boyer
UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit
that can be passed to efi_enabled() to find out whether secure boot is
enabled.
This will be used by the SysRq+x handler, registered by the x86 arch, to find
out whether
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
From: Matthew Garrett
Allowing users to write to address space makes it possible for the kernel to
be subverted, avoiding module loading restrictions. Prevent this when the
kernel has been locked down.
Signed-off-by: Matthew Garrett
Hi Arnd,
2017-04-03 6:46 GMT+09:00 Masahiro Yamada :
> Hi Arnd,
>
>
> 2017-04-01 5:38 GMT+09:00 Arnd Bergmann :
>> From: Mark Charlebois
>>
>> Clang will warn about unknown warnings but will not return false
>> unless -Werror is
From: Matthew Garrett
We have no way of validating what all of the Asus WMI methods do on a given
machine - and there's a risk that some will allow hardware state to be
manipulated in such a way that arbitrary code can be executed in the
kernel, circumventing module
From: Matthew Garrett
custom_method effectively allows arbitrary access to system memory, making
it possible for an attacker to circumvent restrictions on module loading.
Disable it if the kernel is locked down.
Signed-off-by: Matthew Garrett
From: Josh Boyer
This option allows userspace to pass the RSDP address to the kernel, which
makes it possible for a user to circumvent any restrictions imposed on
loading modules. Ignore the option when the kernel is locked down.
Signed-off-by: Josh Boyer
From: Matthew Garrett
Any hardware that can potentially generate DMA has to be locked down in
order to avoid it being possible for an attacker to modify kernel code,
allowing them to circumvent disabled module loading or module signing.
Default to paranoid - in future
From: Matthew Garrett
Writing to MSRs should not be allowed if the kernel is locked down, since
it could lead to execution of arbitrary code in kernel mode. Based on a
patch by Kees Cook.
Cc: Kees Cook
Signed-off-by: Matthew Garrett
From: Matthew Garrett
IO port access would permit users to gain access to PCI configuration
registers, which in turn (on a lot of hardware) give access to MMIO
register space. This would potentially permit root to trigger arbitrary
DMA, so lock it down by default.
From: Linn Crosetto
>From the kernel documentation (initrd_table_override.txt):
If the ACPI_INITRD_TABLE_OVERRIDE compile option is true, it is possible
to override nearly any ACPI table provided by the BIOS with an
instrumented, modified one.
When securelevel is set, the
From: Matthew Garrett
uswsusp allows a user process to dump and then restore kernel state, which
makes it possible to modify the running kernel. Disable this if the kernel
is locked down.
Signed-off-by: Matthew Garrett
Signed-off-by: David Howells
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
The patch
ASoC: wm_adsp: Add support for ADSP2V2
has been applied to the asoc tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to Linus
The patch
ASoC: wm_adsp: add support for DSP region lock
has been applied to the asoc tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and sent to
The patch
ASoC: cs53l30: Set .of_match_table to OF device ID table
has been applied to the asoc tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours)
The patch
ASoC: max9867: export OF device ID as module aliases
has been applied to the asoc tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the next 24 hours) and
The patch
regulator: Add settling time for non-linear voltage transition
has been applied to the regulator tree at
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator.git
All being well this means that it will be integrated into the linux-next
tree (usually sometime in the
On Wed, Apr 5, 2017 at 10:26 AM, Alan Tull wrote:
> On Wed, Apr 5, 2017 at 6:40 AM, Wu, Hao wrote:
>>> >> The fpga_image_info struct started life as just image specific info,
>>> >> but I want it to go in the direction of including parameters needed to
>>> >>
Add Documentation to help users use PCI endpoint to configure PCI endpoint
function and to bind the endpoint function with endpoint controller.
Signed-off-by: Kishon Vijay Abraham I
Acked-By: Joao Pinto
Signed-off-by: Bjorn Helgaas
---
Invoke APIs provided by pci-ep-cfs to create configfs entry for every EPC
device and EPF driver to help users in creating EPF device and binding the
EPF device to the EPC device.
Signed-off-by: Kishon Vijay Abraham I
Signed-off-by: Bjorn Helgaas
---
No functional change. Split dra7xx_pcie_enable_interrupts() into
dra7xx_pcie_enable_wrapper_interrupts() and
dra7xx_pcie_enable_msi_interrupts() so that wrapper interrupts and MSI
interrupts can be enabled independently. This is in preparation for adding
EP mode support to dra7xx driver since EP
Add device tree binding documentation for PCI designware EP mode.
Signed-off-by: Kishon Vijay Abraham I
Signed-off-by: Bjorn Helgaas
Acked-by: Rob Herring
---
.../devicetree/bindings/pci/designware-pcie.txt| 26 +++---
1
On Tue, Apr 04, 2017 at 03:26:29PM -0400, Javier Martinez Canillas wrote:
> The driver doesn't have a struct of_device_id table but supported devices
> are registered via Device Trees. This is working on the assumption that a
> I2C device registered via OF will always match a legacy I2C device ID
2017-04-05 12:05 GMT+02:00 Philipp Zabel :
> On Tue, 2017-04-04 at 14:50 +0200, Christian Gmeiner wrote:
> [...]
>> > Is this on a non-plus i.MX6? Maybe are missing the LDB DI clock glitch
>> > fixes (commits 5d283b083800, 03d576f202e8, and f13abeff2cde)?
>>
>> Yes it is a
On 04/03, Eric W. Biederman wrote:
>
> You have asked why I have problems with your patch and so I am going to
> try to explain. Partly I want to see a clean set of patches that we
> can merge into Linus's tree before we make any compromises. Because the
> work preparing a clean patchset may
hi Cyrille, Marek
I've re-based and tested my patchset onto
"mtd: spi-nor: introduce more SPI protocols and the Dual Transfer Mode"
So I can deliver my patchset before or after Cyrille patchset
How do you wish process? what version do you want for the v3?
BR
Ludo
On 03/30/2017 12:15 PM,
On Wed 05-04-17 10:48:52, Reza Arbab wrote:
> On Wed, Apr 05, 2017 at 08:42:39AM +0200, Michal Hocko wrote:
> >On Tue 04-04-17 16:43:39, Reza Arbab wrote:
> >>Okay, getting further. With this I can again repeatedly add and remove,
> >>but now I'm seeing a weird variation of that earlier issue:
>
Hi guys,
I'm using linux-3.2, yes, it's pretty old I know, and I'm going to
move on a latest stable version.
I hit a soft lockup issue in function `__udp4_lib_lookup`. And it
turns out that the soft lockup results from that it got a hlist_nulls_node
from a hash slot, but that hlist_nulls_node
The X-Powers AXP20X and AXP22X PMICs can have a battery as power supply.
This patch adds the DT binding documentation for the battery power
supply which gets various data from the PMIC, such as the battery status
(charging, discharging, full, dead), current max limit, current current,
battery
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
On 03/15/2017 04:22 PM, Jiri Benc wrote:
> On Wed, 15 Mar 2017 15:29:29 +0100, Matthias Schiffer wrote:
>> While ensuring that the destination address is link-local iff the source
>> address is would also be an option, it didn't seem too useful as the
>> destination address will be a multicast
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
On Wed, Apr 5, 2017 at 10:01 AM, David Howells wrote:
> When the kernel is running in secure boot mode, we lock down the kernel to
> prevent userspace from modifying the running kernel image. Whilst this
> includes prohibiting access to things like /dev/mem, it must also
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
On Wed, Apr 05, 2017 at 08:48:59AM +0200, Michał Kępień wrote:
> This series introduces further changes to the way LCD backlight is
> handled by fujitsu-laptop. These changes include fixing a bug in code
> responsible for generating brightness-related input events, cleaning up
> handling of
Hi Hongyan,
Can you check if the patch meets your requirement/needs for ISH?
Thanks,
Srinivas
On Wed, 2017-04-05 at 16:21 +0530, Ritesh Raj Sarraf wrote:
> On Tue, 2017-04-04 at 17:44 -0700, Srinivas Pandruvada wrote:
> >
> > Hi Ritesh,
> >
> > Does the attached patch helps?
>
> Thank you
Hi Bjorn,
Please find the pull request for PCI endpoint support below. I've
also included all the history here.
Changes from v5:
*) remove #syscon-cells property added in v5 and used
of_parse_phandle_with_fixed_args
*) fix compilation error in make.cross ARCH=blackfin that was because
Hi Bjorn,
On Wednesday 05 April 2017 02:06 AM, Bjorn Helgaas wrote:
> On Mon, Mar 27, 2017 at 03:14:56PM +0530, Kishon Vijay Abraham I wrote:
>> Hi Bjorn,
>>
>> Please find the pull request for PCI endpoint support below. I've
>> also included all the history here.
>
> I tentatively applied this
When coherent DMA memory without struct page is shared, importer
fails to find the page and runs into kernel page fault when it
tries to dmabuf_ops_attach/map_sg/map_page the invalid page found
in the sg_table. Please see www.spinics.net/lists/stable/msg164204.html
for more information on this
>
>
> > +static void setup_memwin_p2pmem(struct adapter *adap)
> > +{
> > + unsigned int mem_base = t4_read_reg(adap,
> CIM_EXTMEM2_BASE_ADDR_A);
> > + unsigned int mem_size = t4_read_reg(adap,
> CIM_EXTMEM2_ADDR_SIZE_A);
> > +
> > + if (!use_p2pmem)
> > + return;
>
> This is
>
> > + p2pmem_debugfs_root = debugfs_create_dir("p2pmem", NULL);
> > + if (!p2pmem_debugfs_root)
> > + pr_info("could not create debugfs entry, continuing\n");
> > +
>
> Why continue? I think it'd be better to just fail it.
>
Because not having debugfs support isn't fatal to
On Wed, Apr 05, 2017 at 02:22:21PM +0530, Kishon Vijay Abraham I wrote:
> Introduce a new EP core layer in order to support endpoint functions in
> linux kernel. This comprises the EPC library (Endpoint Controller Library)
> and EPF library (Endpoint Function Library). EPC library implements
>
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
> -Original Message-
> From: Borislav Petkov [mailto:b...@alien8.de]
> Sent: Wednesday, April 05, 2017 12:45 PM
> To: Ghannam, Yazen
> Cc: linux-e...@vger.kernel.org; Tony Luck ;
> x...@kernel.org; linux-kernel@vger.kernel.org
> Subject: Re:
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
From: Dave Young
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix
From: Chun-Yi Lee
When KEXEC_VERIFY_SIG is not enabled, kernel should not loads image
through kexec_file systemcall if securelevel has been set.
This code was showed in Matthew's patch but not in git:
https://lkml.org/lkml/2015/3/13/778
Cc: Matthew Garrett
From: Matthew Garrett
Allowing users to write to address space makes it possible for the kernel to
be subverted, avoiding module loading restrictions. Prevent this when the
kernel has been locked down.
Signed-off-by: Matthew Garrett
UEFI Secure Boot provides a mechanism for ensuring that the firmware will
only load signed bootloaders and kernels. Certain use cases may also
require that all kernel modules also be signed. Add a configuration option
that to lock down the kernel - which includes requiring validly signed
modules
If the kernel is locked down, require that all modules have valid
signatures that we can verify.
Signed-off-by: David Howells
---
kernel/module.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index
When the kernel is running in secure boot mode, we lock down the kernel to
prevent userspace from modifying the running kernel image. Whilst this
includes prohibiting access to things like /dev/mem, it must also prevent
access by means of configuring driver modules in such a way as to cause a
> Currently, the driver doesn't support (2), because, at the time
> I wrote the driver, I didn't find a way to read the interrupts generated
> by tvp5150 at em28xx[1], due to the lack of em28xx documentation,
> but adding support for it shoudn't be hard. I may eventually do it
> when I have some
On Mon, 3 Apr 2017, Vikas Shivappa wrote:
>
> /**
> + * struct rdt_domain - group of cpus sharing an RDT resource
> + * @list:all instances of this resource
> + * @id: unique id for this instance
> + * @cpu_mask:which cpus share this resource
> + * @ctrl_val:
401 - 500 of 1922 matches
Mail list logo