lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20121001210734.GB21712@elf.ucw.cz>
Date:	Mon, 1 Oct 2012 23:07:34 +0200
From:	Pavel Machek <pavel@....cz>
To:	Matthew Garrett <mjg59@...f.ucam.org>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org
Subject: Re: [RFC] First attempt at kernel secure boot support

On Tue 2012-09-04 17:12:56, Matthew Garrett wrote:
> On Tue, Sep 04, 2012 at 05:08:53PM +0100, Alan Cox wrote:
> > On Tue,  4 Sep 2012 11:55:06 -0400
> > Matthew Garrett <mjg@...hat.com> wrote:
> > 
> > > The UEFI Secure Boot trust model is based on it not being possible for a
> > > user to cause a signed OS to boot an unsigned OS
> > 
> > Unfortunately you can't fix this at kernel level because an untrusted
> > application can at GUI level fake a system crash, reboot cycle and phish
> > any basic credentials such as passwords for the windows partition.
> 
> Any well-designed software asking for credentials should already be 
> requiring a SAK, so in that case we just need to implement sensible SAK 
> support in Linux.

So... the "secure" boot specification also describes what the SAK is?
It has to be same on all the operating systems to be effective.

And... you'd need to put SAK functionality into the kernel. (Currently
SAK only notifies _root_ user. You'd need to implement SAK
functionality displaying penguin with "This is not Windows"
message... in kernel).
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ