> [1] Yes, it doesn't buy all that much, since if the system is rooted > the adversary can just replace the kernel in /boot and force a normal, > slower reboot, but the same could be said for signed modules --- the > adversary could just replace all of /boot/vmlinux-<kver> and > /lib/modules/<kver>. But both measures make it a tad more bit > difficult, especially for the adversary to do this replacement without > being noticed (for example linode will send me e-mail if the system > reboots normally, but not with a kexec-mediated reboot), and for cloud > systems where we don't have secure boot anyway, it's about the best we > can do. It's about the same as the protection offered by the "secure" boot patches I've seen because they don't block all kernel boot parameters except a whitelist and because there are a pile of other fairly fundamental problems that probably require you also sign the root file system, which is itself a world of pain. Alan
