On Fri, 2013-08-09 at 11:35 -0400, Vivek Goyal wrote: > Also what about all the other patches you had for secureboot where you > closed down all the paths where root could write to kernel memory. So > if you want to protect sig_enforce boolean, then you need to close down > all these paths irrespective of secureboot? Fair point. The bar is slightly higher there, but yes, it seems reasonable to say that enforcing module signing (and, come to think of it, modules_disabled) should also lock down the other obvious mechanisms for root to get code into the kernel. -- Matthew Garrett | mjg59 at srcf.ucam.org
