Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Justin Forbes
On Wed, Apr 5, 2017 at 12:07 PM, David Howells wrote: > > These patches provide a facility by which a variety of avenues by which > userspace can feasibly modify the running kernel image can be locked down. > These include: > > (*) No unsigned modules and no modules for

Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Justin Forbes
On Wed, Apr 5, 2017 at 12:07 PM, David Howells wrote: > > These patches provide a facility by which a variety of avenues by which > userspace can feasibly modify the running kernel image can be locked down. > These include: > > (*) No unsigned modules and no modules for which can't validate the

Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Justin Forbes
On Fri, Apr 7, 2017 at 10:59 AM, Austin S. Hemmelgarn wrote: > On 2017-04-05 16:14, David Howells wrote: >> >> >> These patches provide a facility by which a variety of avenues by which >> userspace can feasibly modify the running kernel image can be locked down. >> These

Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Justin Forbes
On Fri, Apr 7, 2017 at 10:59 AM, Austin S. Hemmelgarn wrote: > On 2017-04-05 16:14, David Howells wrote: >> >> >> These patches provide a facility by which a variety of avenues by which >> userspace can feasibly modify the running kernel image can be locked down. >> These include: >> >> (*) No

Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Austin S. Hemmelgarn
On 2017-04-05 16:14, David Howells wrote: These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*)

Re: [PATCH 00/24] Kernel lockdown

2017-04-07 Thread Austin S. Hemmelgarn
On 2017-04-05 16:14, David Howells wrote: These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*)

Re: [PATCH 00/24] Kernel lockdown

2017-04-06 Thread David Howells
James Morris wrote: > > The patches can be found here also: > > > > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown > > > > Do you mean the branch 'efi-lock-down' ? Sorry, yes. David

Re: [PATCH 00/24] Kernel lockdown

2017-04-06 Thread David Howells
James Morris wrote: > > The patches can be found here also: > > > > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown > > > > Do you mean the branch 'efi-lock-down' ? Sorry, yes. David

Re: [PATCH 00/24] Kernel lockdown

2017-04-06 Thread James Morris
On Wed, 5 Apr 2017, David Howells wrote: > The patches can be found here also: > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown > Do you mean the branch 'efi-lock-down' ? -- James Morris

Re: [PATCH 00/24] Kernel lockdown

2017-04-06 Thread James Morris
On Wed, 5 Apr 2017, David Howells wrote: > The patches can be found here also: > > > http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=efi-lockdown > Do you mean the branch 'efi-lock-down' ? -- James Morris

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing

Re: [PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
Let me try sending this again again. Lee, Chun-Yi as a name causes the mail dispatcher to break :-/ David

Re: [PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
Let me try sending this again again. Lee, Chun-Yi as a name causes the mail dispatcher to break :-/ David

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing

[PATCH 00/24] Kernel lockdown

2017-04-05 Thread David Howells
These patches provide a facility by which a variety of avenues by which userspace can feasibly modify the running kernel image can be locked down. These include: (*) No unsigned modules and no modules for which can't validate the signature. (*) No use of ioperm(), iopl() and no writing