On Thu, 2010-04-01 at 15:02 +1100, James Morris wrote: > On Wed, 31 Mar 2010, Eric Paris wrote: > > > Simple answer is 'because Intel says so.' I'm sorry but I don't think > > I'm allowed to divulge any reasons Intel may or may not have shared with > > Red Hat. > > It seems odd to me that the full design and operation of a security > mechanism is not being made available, and that the reasons for this > are also not able to be divulged. > > Note that an SINIT AC module was recently reverse engineered, found to be > buggy, and then used break TXT: > > http://theinvisiblethings.blogspot.com/2009/12/another-txt-attack.html > > I really hope the secrecy of the AC module is not part of its security > design. > > In any case, I don't see any technical reason not to enable the option. As far as I know the security of TXT in no way relies upon keeping the SINIT module closed source. -- Stephen Smalley National Security Agency _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
