Re: [PATCH] x86: Lock down MSR writing in secure boot
[Posted March 12, 2013 by mkerrisk]
| From: |
| Matthew Garrett <matthew.garrett-AT-nebula.com> |
| To: |
| "H. Peter Anvin" <hpa-AT-zytor.com> |
| Subject: |
| Re: [PATCH] x86: Lock down MSR writing in secure boot |
| Date: |
| Wed, 13 Feb 2013 06:27:40 +0000 |
| Message-ID: |
| <1360736860.18083.33.camel@x230.lan> |
| Cc: |
| Borislav Petkov <bp-AT-alien8.de>, Kees Cook <keescook-AT-chromium.org>,
LKML <linux-kernel-AT-vger.kernel.org>,
Thomas Gleixner <tglx-AT-linutronix.de>,
Ingo Molnar <mingo-AT-redhat.com>,
"x86-AT-kernel.org" <x86-AT-kernel.org>,
"linux-efi-AT-vger.kernel.org" <linux-efi-AT-vger.kernel.org>,
linux-security-module <linux-security-module-AT-vger.kernel.org> |
| Archive‑link: | |
Article |
On Tue, 2013-02-12 at 22:12 -0800, H. Peter Anvin wrote:
> Sounds like you are thinking of CAP_SYS_ADMIN, but I don't really see a
> huge difference between MSRs and I/O control registers... just different
> address spaces.
Not having CAP_SYS_RAWIO blocks various SCSI commands, for instance.
These might result in the ability to write individual blocks or destroy
the device firmware, but do any of them permit modifying the running
kernel?
