Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
UEFI secure boot kernel restrictions
Posted Nov 8, 2012 13:52 UTC (Thu) by foom (subscriber, #14868)
This whole "secure boot" exercise is indeed...pointless. :)
Posted Nov 8, 2012 15:04 UTC (Thu) by raven667 (subscriber, #5198)
If we want to work on other kernel security measures then I don't think it should be in the context of Secure Boot as that has been pushed as far as it will go and will take a few years of operational use to cool down. You can start a new project to help prevent unauthorized entry into the kernel, making kexec do signature checking maybe, but you can't _fundamentally_ prevent code from being loaded into the kernel after users pace is started, there are too many holes for that. The kernel team does their level best to plug holes as fast as they can and that's what we have to rely on for now.
Posted Nov 8, 2012 15:22 UTC (Thu) by mjg59 (subscriber, #23239)
Posted Nov 8, 2012 16:25 UTC (Thu) by raven667 (subscriber, #5198)
This is a problem with no easy answers and might not even be a solvable problem given the complexity needed for modern systems. Have you ever read Verner Vinge "Deepness in the Sky"?
Posted Nov 8, 2012 16:33 UTC (Thu) by mjg59 (subscriber, #23239)
Posted Nov 8, 2012 16:56 UTC (Thu) by raven667 (subscriber, #5198)
Posted Nov 8, 2012 23:26 UTC (Thu) by hummassa (subscriber, #307)
Posted Nov 9, 2012 18:41 UTC (Fri) by mathstuf (subscriber, #69389)
I'd like a clarification here: initramfs has to have a vulnerability because of:
- what it does; or
- it does so much that *something* it calls is ~100% likely to have *some* vulnerability; or
- something else?
This seems like an important distinction to me, but I'm also unfamiliar with what initramfs actually does or needs to do at a detailed level.
Posted Nov 10, 2012 1:34 UTC (Sat) by hummassa (subscriber, #307)
that's the one :-D
Posted Nov 10, 2012 2:04 UTC (Sat) by raven667 (subscriber, #5198)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds