lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd3b2e67-92af-494d-ba2d-4179ead6e06b@email.android.com> Date: Wed, 05 Dec 2012 20:13:29 -0500 From: Matthew Garrett <mjg59@...f.ucam.org> To: "H. Peter Anvin" <hpa@...or.com> CC: Yinghai Lu <yinghai@...nel.org>, Bjorn Helgaas <bhelgaas@...gle.com>, linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org, linux-efi@...r.kernel.org, mfleming@...el.com, dwmw2@...radead.org, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: Use PCI ROMs from EFI boot services "H. Peter Anvin" <hpa@...or.com> wrote: >And that presumably would be something that cannot be exposed to root? >If so we may want to use one of the bits in the setup_data type field >as >a security flag, perhaps... Yeah, it needs to be hidden from root - but ideally we'd be passing it to the second kernel if we kexec. Alternative would be for it to be capability bounded to a trusted signed kexec binary if we implement Vivek's IMA-based approach. -- Matthew Garrett | mjg59@...f.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists