V Tue, Jun 28, 2022 at 08:27:16PM +0100, David Howells napsal(a): > Sharpened Blade via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > It would be stored with permissions for only root to read it, and you disk > > should be encrypted, or none of this matters. > > It doesn't matter if your disk is encrypted. Whilst your computer is online, > the contents are accessible. If your kernel memory is accessible through > /dev/mem or /dev/kmem, there's a chance that your keys can just be read > directly. > If one can read /dev/mem, he can edit any executable or PAM configuration, in memory or on a disk, to assure a permanent acccess or to steal any data existing right now. There is a little benefit of stealing private keys if you have all data available right now. The only benefit is future off-line attacks by being able to sign data of your choice. E.g. if you are Microsoft which signs shim so that Fedora can actually boot on Secure Boot-enabled devices. > One of the things secure boot can do is lock down *read* access to your raw > memory/kernel virtual memory to make it harder for someone to steal your > secrets. It's not a secure as using a TPM ought to be, though. > You don't need need a secure boot for that. Simply compile your kernel with CONFIG_STRICT_DEVMEM=y or CONFIG_DEVMEM=n or any similar hardening option. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
