Re: [PATCH] x86: Lock down MSR writing in secure boot

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "H. Peter Anvin" <hpa@xxxxxxxxx>
Subject: Re: [PATCH] x86: Lock down MSR writing in secure boot
From: Matthew Garrett <matthew.garrett@xxxxxxxxxx>
Date: Thu, 14 Feb 2013 02:46:58 +0000
Accept-language: en-US
Cc: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Kees Cook <keescook@xxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, "x86@xxxxxxxxxx" <x86@xxxxxxxxxx>, "linux-efi@xxxxxxxxxxxxxxx" <linux-efi@xxxxxxxxxxxxxxx>, linux-security-module <linux-security-module@xxxxxxxxxxxxxxx>
In-reply-to: <511C3927.90603@zytor.com>
Thread-index: AQHOBjA7mQsIMlqU/k+EElzc7Yz1iZhwVXgAgAAAbACAAAawAIAACLcAgAABPICAAAKrAIAAAdKAgAAHwICAABjCAIAAChOAgAAFkwCAACBDAIAAAhCAgABYQICAAC3GgIAAX64AgAVYBQCAAFFaAIAACSmAgAAEVgCAAAGkAIAAAlCAgACyhQCAAAGlgIAABt2AgABM/ICAAAjdAIAAGGYAgAAFWoCAAAV5AIAAATmAgAAbZQA=
Thread-topic: [PATCH] x86: Lock down MSR writing in secure boot

On Wed, 2013-02-13 at 17:08 -0800, H. Peter Anvin wrote:

> Well, for at least things with device nodes (/dev/mem, /dev/msr and so
> on) it should be possible, no?  ioperm() and iopl() are another matter.

Sure, if we can guarantee that a signed userspace loads a signed SELinux
policy before any unsigned code runs. But, realistically, that's not
going to be possible.

-- 
Matthew Garrett | mjg59@xxxxxxxxxxxxx
��.n��������+%������w��{.n�����{����*jg��������ݢj����G�������j:+v���w�m������w�������h�����٥

References:
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Kees Cook
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Borislav Petkov
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Kees Cook
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Borislav Petkov
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Casey Schaufler
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Casey Schaufler
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Casey Schaufler
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: Matthew Garrett
- Re: [PATCH] x86: Lock down MSR writing in secure boot
  - From: H. Peter Anvin

Prev by Date: Re: [PATCH] x86: Lock down MSR writing in secure boot
Next by Date: Re: [PATCH] efi: Clear EFI_RUNTIME_SERVICES rather than EFI_BOOT by "noefi" boot parameter
Previous by thread: Re: [PATCH] x86: Lock down MSR writing in secure boot
Next by thread: Re: [PATCH] x86: Lock down MSR writing in secure boot
Index(es):
- Date
- Thread

[Index of Archives] [Linux ARM Kernel] [Linux ARM] [Linux Omap] [Fedora ARM] [IETF Annouce] [Security] [Bugtraq] [Linux OMAP] [Linux MIPS] [ECOS] [Asterisk Internet PBX] [Linux API]