Re: Do not allow MSR or Embedded Controller writes from userspace in secure boot case

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 08, 2012 at 09:44:11AM -0500, Shea Levy wrote:

> How is secureboot_enable=no ok? Unless we're disabling efivarfs in
> secureboot mode root can change the kernel command line.

What do you mean by "ok"? Ubuntu ship a signed kernel without requiring 
signed modules, so any in-kernel protections can be trivially 
circumvented. They've made that decision based on a risk/benefit 
analysis. Every vendor is going to have to make their own analysis, and 
it's not guaranteed that the upstream kernel is going to precisely match 
any of them.

-- 
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux