| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 04 Apr 2018 00:04:51 +0000
From: Matthew Garrett <mjg59@...gle.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: luto@...nel.org, David Howells <dhowells@...hat.com>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>, jmorris@...ei.org,
Alan Cox <gnomes@...rguk.ukuu.org.uk>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
jforbes@...hat.com, linux-man@...r.kernel.org, jlee@...e.com,
LSM List <linux-security-module@...r.kernel.org>,
linux-api@...r.kernel.org, Kees Cook <keescook@...omium.org>,
linux-efi <linux-efi@...r.kernel.org>
Subject: Re: [GIT PULL] Kernel lockdown for secure boot
On Tue, Apr 3, 2018 at 5:02 PM Linus Torvalds
<torvalds@...ux-foundation.org>
wrote:
> On Tue, Apr 3, 2018 at 4:47 PM, Matthew Garrett <mjg59@...gle.com> wrote:
> >> Another way of looking at this: if lockdown is a good idea to enable
> >> when you booted using secure boot, then why isn't it a good idea when
> >> you *didn't* boot using secure boot?
> >
> > Because it's then trivial to circumvent and the restrictions aren't
worth
> > the benefit.
> Bullshit.
> If there those restrictions cause problems, they need to be fixed
regardless.
How? When there are random DMA-capable PCI devices that are driven by
userland tools that are mmap()ing the BARs out of sysfs, how do we
simultaneously avoid breaking those devices while also preventing the
majority of users from being vulnerable to an attacker just DMAing over the
kernel?
Powered by blists - more mailing lists