Re: [PATCH 07/11] kexec: Disable in a secure boot environment

From: Matthew Garrett
Date: Wed Sep 05 2012 - 17:41:42 EST

Next message: BenoÃt ThÃbaudeau: "Re: [PATCH 7/8] pwm i.MX: fix clock lookup"
Previous message: Kees Cook: "Re: [PATCH] Yama: handle 32-bit userspace prctl"
In reply to: Mimi Zohar: "Re: [PATCH 07/11] kexec: Disable in a secure boot environment"
Next in thread: Eric Paris: "Re: [PATCH 07/11] kexec: Disable in a secure boot environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Sep 05, 2012 at 05:13:49PM -0400, Mimi Zohar wrote:

> Normally capabilities provide additional permissions. So if you don't
> have the capability, an errno is returned. CAP_SYS_BOOT is a good
> example. With CAP_SECURE_FIRMWARE, it reads backwards - if not
> CAP_SECURE_FIRMWARE, return error. I think you want to invert the name
> to CAP_NOT_SECURE_FIRMWARE, CAP_NOT_SECURE_BOOT or perhaps
> CAP_UNSECURED_BOOT.

Yeah, I think renaming the cap is a given.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: BenoÃt ThÃbaudeau: "Re: [PATCH 7/8] pwm i.MX: fix clock lookup"
Previous message: Kees Cook: "Re: [PATCH] Yama: handle 32-bit userspace prctl"
In reply to: Mimi Zohar: "Re: [PATCH 07/11] kexec: Disable in a secure boot environment"
Next in thread: Eric Paris: "Re: [PATCH 07/11] kexec: Disable in a secure boot environment"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]