lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20121206061903.GA3068@srcf.ucam.org> Date: Thu, 6 Dec 2012 06:19:03 +0000 From: Matthew Garrett <mjg59@...f.ucam.org> To: "H. Peter Anvin" <hpa@...or.com> Cc: Yinghai Lu <yinghai@...nel.org>, Bjorn Helgaas <bhelgaas@...gle.com>, linux-kernel@...r.kernel.org, linux-pci@...r.kernel.org, linux-efi@...r.kernel.org, mfleming@...el.com, dwmw2@...radead.org, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: Use PCI ROMs from EFI boot services On Wed, Dec 05, 2012 at 05:21:44PM -0800, H. Peter Anvin wrote: > On 12/05/2012 05:13 PM, Matthew Garrett wrote: > >Yeah, it needs to be hidden from root - but ideally we'd be passing it to the second kernel if we kexec. Alternative would be for it to be capability bounded to a trusted signed kexec binary if we implement Vivek's IMA-based approach. > > > > Either way a security flag in the type field makes sense. I've no objection to that, although I'm not sure there's any real reason to expose an incomplete setup_data to userspace. Any scenario in which kexec can't read the full data is one where kexec won't be able to call sys_kexec() anyway. -- Matthew Garrett | mjg59@...f.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists