| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 09 Sep 2013 09:42:59 -0700 From: "H. Peter Anvin" <hpa@...or.com> To: Matthew Garrett <matthew.garrett@...ula.com> CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "keescook@...omium.org" <keescook@...omium.org>, "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>, "linux-efi@...r.kernel.org" <linux-efi@...r.kernel.org>, "jmorris@...ei.org" <jmorris@...ei.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 01/12] Add BSD-style securelevel support On 09/09/2013 09:30 AM, Matthew Garrett wrote: > On Mon, 2013-09-09 at 09:27 -0700, H. Peter Anvin wrote: > >> This will break or have to be redefined once you have signed kexec. > > Yeah. I wasn't really sure how to define it based on an implementation > that isn't there yet - saying "kexec_load() of untrusted binaries" > implies that there's some way to do it for trusted binaries. > However, this is the fundamental problem with securelevel: it assumes there is not only a strict ordering between things to be secured, but also that specific rings will remain the meaningful levels forever. Neither of this tend to be true long time... which leads one back to capabilities. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists