lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <loom.20130227T103444-514@post.gmane.org>
Date:	Wed, 27 Feb 2013 09:35:24 +0000 (UTC)
From:	ownssh <ownssh@...il.com>
To:	linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Load keys from signed PE binaries

David Howells <dhowells <at> redhat.com> writes:

> 
> 
> Florian Weimer <fw <at> deneb.enyo.de> wrote:
> 
> > Seriously, folks, can we go back one step and discuss what problem you
> > are trying to solve?  Is it about allowing third-party kernel modules
> > in an environment which does not allow unsigned ring 0 code execution?
> 
> Let me try and lay things out:
> 
>  (1) Like it or not, the reality is that machines exist that have UEFI secure

I think, redhat should have their own root key to sign binary files.
Bootloader of install media can be sign by MS certificates, but only use to add
the redhat root key to UEFI database before install.
It will solve many problems like MS blacklist the keys although redhat said MS
wont do that forever.

And, even you do the all things of A-G, it still wont safe because many
vulnerabilities can let the attacker enter ring0 only use to exploit the exist
signed kernel module or kernel itself.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ