lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <50BFF328.5030406@zytor.com> Date: Wed, 05 Dec 2012 17:21:44 -0800 From: "H. Peter Anvin" <hpa@...or.com> To: Matthew Garrett <mjg59@...f.ucam.org> CC: Yinghai Lu <yinghai@...nel.org>, Bjorn Helgaas <bhelgaas@...gle.com>, linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org, linux-efi@...r.kernel.org, mfleming@...el.com, dwmw2@...radead.org, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: Use PCI ROMs from EFI boot services On 12/05/2012 05:13 PM, Matthew Garrett wrote: > > > "H. Peter Anvin" <hpa@...or.com> wrote: > >> And that presumably would be something that cannot be exposed to root? >> If so we may want to use one of the bits in the setup_data type field >> as >> a security flag, perhaps... > > Yeah, it needs to be hidden from root - but ideally we'd be passing it to the second kernel if we kexec. Alternative would be for it to be capability bounded to a trusted signed kexec binary if we implement Vivek's IMA-based approach. > Either way a security flag in the type field makes sense. -hpa -- H. Peter Anvin, Intel Open Source Technology Center I work for Intel. I don't speak on their behalf. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists