lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Nov 2012 11:19:28 +0000 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: James Courtier-Dutton <james.dutton@...il.com> Cc: Matthew Garrett <mjg59@...f.ucam.org>, Olivier Galibert <galibert@...ox.com>, Florian Weimer <fw@...eb.enyo.de>, Chris Friesen <chris.friesen@...band.com>, "Eric W. Biederman" <ebiederm@...ssion.com>, "H. Peter Anvin" <hpa@...or.com>, James Bottomley <James.Bottomley@...senpartnership.com>, Pavel Machek <pavel@....cz>, Eric Paris <eparis@...isplace.org>, Jiri Kosina <jkosina@...e.cz>, Oliver Neukum <oneukum@...e.de>, Josh Boyer <jwboyer@...il.com>, LKML Mailing List <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, linux-efi@...r.kernel.org Subject: Re: [RFC] Second attempt at kernel secure boot support > You have a fair chance of protecting via physical means (Locked rooms, > Background checks on users etc.) of preventing a user with malicious intent > to access the local machine. So called "secure boot" doesn't deal with any kind of physical access, which also means its useless if a device is lost and returned and you don't know if it was in the hands of a third party. > The first thing a computer does when switched on is run its first code > instructions. Commonly referred to as the BIOS. A good deal more complicated than that. However the signing in hardware and early boot up on a lot of devices already goes as far as the BIOS if the system has BIOS or EFI if it doesn't. You also have all the devices to deal with. > Normally digital signatures would examine the binary, ensure the signature > matches, and then run the code contained in it. No - it's a good deal more complicated than that too. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists