User: Password:
|
|
Subscribe / Log in / New account

SecureBoot can't come soon enough

SecureBoot can't come soon enough

Posted Nov 22, 2012 16:54 UTC (Thu) by dps (subscriber, #5725)
In reply to: SecureBoot can't come soon enough by cesarb
Parent article: A rootkit dissected

My preferred fix would be module signing. If the required key was either not present, because I compiled the kernel elsewhere, or securely shredded then loading the module would fail and there would be a nasty message in the kernel log.

Real experts could just replace the kernel too but script kiddies can't. I can't afford to implement write protected /, /usr, kernel image, etc. If udev or systemd can't cope then I would use something simpler which can.

My personal firewall machine (original pentium with 2 * 10/100 ethernet) uses a kernel does not support modules, period. I don't need SecureBoot to stop you loading modules on that box :-)


(Log in to post comments)

SecureBoot can't come soon enough

Posted Nov 22, 2012 19:32 UTC (Thu) by Seegras (guest, #20463) [Link]

> ... uses a kernel does not support modules, period. I don't need
> SecureBoot to stop you loading modules on that box :-)

Aye. I've got no module-loading capability on my firewalls and servers either. For years.

SecureBoot can't come soon enough

Posted Nov 23, 2012 0:02 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

There's plenty of ways for root to modify your running kernel without loading modules. Restrictions on module loading are necessary for improved security, but not sufficient.

SecureBoot can't come soon enough

Posted Nov 22, 2012 21:23 UTC (Thu) by paulj (subscriber, #341) [Link]

Disabling module loading doesn't stop modules being loaded though...


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds