| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 31 Oct 2012 23:00:42 +0100 (CET) From: Jiri Kosina <jkosina@...e.cz> To: Chris Friesen <chris.friesen@...band.com> Cc: Oliver Neukum <oneukum@...e.de>, Alan Cox <alan@...rguk.ukuu.org.uk>, Matthew Garrett <mjg59@...f.ucam.org>, Josh Boyer <jwboyer@...il.com>, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org Subject: Re: [RFC] Second attempt at kernel secure boot support On Wed, 31 Oct 2012, Chris Friesen wrote: > > That would do it on my system. > > Maybe in theory you could solve this by the kernel invalidating images > > it hasn't written itself and forbidding to change the resume partition from > > the > > kernel command line, but that would break user space hibernation. > > If the resuming kernel refuses to resume from images it didn't create itself, > why do you need to forbid changing the resume partition from the kernel > command line? Yeah, it can definitely be solved by pushing keys around from shim to kernel (and kernel discarding the private keys at right moments). It just needs to be implemented. -- Jiri Kosina SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists