| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Apr 2013 21:42:54 +0300 From: Dmitry Kasatkin <dmitry.kasatkin@...il.com> To: Vivek Goyal <vgoyal@...hat.com> Cc: Mimi Zohar <zohar@...ux.vnet.ibm.com>, Josh Boyer <jwboyer@...il.com>, Matthew Garrett <mjg59@...f.ucam.org>, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [RFC 2/2] initramfs with digital signature protection On Thu, Apr 11, 2013 at 5:55 PM, Vivek Goyal <vgoyal@...hat.com> wrote: > On Thu, Apr 11, 2013 at 11:06:55AM +0300, Dmitry Kasatkin wrote: >> Hello, >> >> I respond to the original question of this thread. >> signed initramfs allows not only to add keys to the keyrings but perform >> other initialization, >> which requires user-space. >> Keys can be embedded into the kernel. This is fine. > > What other initialization user space need to do where we can't trust > root (even in secureboot mode). > > IOW, if keys can be embedded in kernel (or read from UEFI db and MOK db), > what other operation requires initramfs to be signed. It could very well > be unsigned initramfs like today. > It looks like you do not hear me. I said that any user space initialization can be done from signed user space. For example IMA policy can be initialized. I see that you see your particular case and in that case you do not require that. That is fine. That is your case.... - Dmitry > Thanks > Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists