On Thu, 2012-11-01 at 10:45 +0100, Jiri Kosina wrote: > On Thu, 1 Nov 2012, James Bottomley wrote: > > > I'm actually just struggling to understand the use case for these more > > esoteric protections. > > I believe the real point is drawing a clear line between trusted and > untrusted (with root being userspace, hence implicitly untrusted), and > disallowing "legitimate crossing" of this line. But that doesn't really help me: untrusted root is an oxymoron. I get capability separated systems, where you invest trust in layers and you make each layer small and verifiable, so you have a granular trust policy you build up. I really don't understand the use case for trying to remove a small portion of trust from the huge trust domain of root and then doing a massive amount of fixup around the edges because there's leaks all over the place from the trust that root still has. It all seems to be a bit backwards. If you just begin with the capability separated granular system, I don't see why it doesn't all just work with what we have today. James -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html