lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <761791749.8594444.1377730692707.JavaMail.root@redhat.com>
Date:	Wed, 28 Aug 2013 18:58:12 -0400 (EDT)
From:	Lenny Szubowicz <lszubowi@...hat.com>
To:	Matthew Garrett <matthew.garrett@...ula.com>,
	linux-kernel@...r.kernel.org
Cc:	linux-efi@...r.kernel.org, jwboyer@...hat.com,
	keescook@...omium.org
Subject: Re: [PATCH 0/10] Add additional security checks when module loading
 is restricted



----- Original Message -----
> From: "Matthew Garrett" <matthew.garrett@...ula.com>
> To: "Lenny Szubowicz" <lszubowi@...hat.com>
> Cc: linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org, jwboyer@...hat.com, keescook@...omium.org
> Sent: Wednesday, August 28, 2013 6:41:55 PM
> Subject: Re: [PATCH 0/10] Add additional security checks when module loading is restricted
> 
> On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote:
> 
> > Did you purposely exclude similar checks for hibernate that were covered
> > by earlier versions of your patch set?
> 
> Yes, I think it's worth tying it in with the encrypted hibernation
> support. The local attack is significantly harder in the hibernation
> case - in the face of unknown hardware it basically involves a
> pre-generated memory image corresponding to your system or the ability
> to force a reboot into an untrusted environment. I think it's probably
> more workable to just add a configuration option for forcing encrypted
> hibernation when secure boot is in use.
> 
> --
> Matthew Garrett <matthew.garrett@...ula.com>

I'm root. So I can write anything I want to the swap file that looks
like a valid hibernate image but is code of my choosing. I can read
anything I need from /dev/mem or /dev/kmem to help me do that.
I can then immediately initiate a reboot.

                               -Lenny.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ