| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Feb 2013 09:35:24 +0000 (UTC) From: ownssh <ownssh@...il.com> To: linux-kernel@...r.kernel.org Subject: Re: [GIT PULL] Load keys from signed PE binaries David Howells <dhowells <at> redhat.com> writes: > > > Florian Weimer <fw <at> deneb.enyo.de> wrote: > > > Seriously, folks, can we go back one step and discuss what problem you > > are trying to solve? Is it about allowing third-party kernel modules > > in an environment which does not allow unsigned ring 0 code execution? > > Let me try and lay things out: > > (1) Like it or not, the reality is that machines exist that have UEFI secure I think, redhat should have their own root key to sign binary files. Bootloader of install media can be sign by MS certificates, but only use to add the redhat root key to UEFI database before install. It will solve many problems like MS blacklist the keys although redhat said MS wont do that forever. And, even you do the all things of A-G, it still wont safe because many vulnerabilities can let the attacker enter ring0 only use to exploit the exist signed kernel module or kernel itself. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists