[PATCH 0/2] Allow individual features to be locked down
Dan Williams
dan.j.williams at intel.com
Wed Apr 9 15:45:05 UTC 2025
Paul Moore wrote:
> On Fri, Mar 21, 2025 at 6:24 AM Nikolay Borisov <nik.borisov at suse.com> wrote:
> >
> > This simple change allows usecases where someone might want to lock only specific
> > feature at a finer granularity than integrity/confidentiality levels allows.
> > The first likely user of this is the CoCo subsystem where certain features will be
> > disabled.
> >
> > Nikolay Borisov (2):
> > lockdown: Switch implementation to using bitmap
> > lockdown/kunit: Introduce kunit tests
>
> Hi Nikolay,
>
> Thanks for the patches! With the merge window opening in a few days,
> it is too late to consider this for the upcoming merge window so
> realistically this patchset is two weeks out and I'm hopeful we'll
> have a dedicated Lockdown maintainer by then so I'm going to defer the
> ultimate decision on acceptance to them.
The patches in this thread proposed to selectively disable /dev/mem
independent of all the other lockdown mitigations. That goal can be
achieved with more precision with this proposed patch:
http://lore.kernel.org/67f5b75c37143_71fe2949b@dwillia2-xfh.jf.intel.com.notmuch
More information about the Linux-security-module-archive
mailing list