On Wed, Jul 20, 2016 at 09:35:30AM +0100, Russell King - ARM Linux wrote: > On Wed, Jul 20, 2016 at 01:45:42PM +1000, Balbir Singh wrote: > > > IOW, if your kernel forced signature verification, you should not be > > > able to do sig_enforce=0. If you kernel did not have > > > CONFIG_MODULE_SIG_FORCE=y, then sig_enforce should be 0 by default anyway > > > and you are not making it worse using command line. > > > > OK.. I checked and you are right, but that is an example and there are > > other things like security=, thermal.*, nosmep, nosmap that need auditing > > for safety and might hurt the system security if used. I still think > > think that assuming you can pass any command line without breaking security > > is a broken argument. > > Quite, and you don't need to run code in a privileged environment to do > any of that. > > It's also not trivial to protect against: new kernels gain new arguments > which older kernels may not know about. No matter how much protection > is built into older kernels, newer kernels can become vulnerable through > the addition of further arguments. If a new kernel command line option becomes an issue, new kernel can block that in secureboot environment. That way it helps kexec boot as well as regular boot. Vivek
