| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jun 2014 22:40:38 +0100 From: Matthew Garrett <mjg59@...f.ucam.org> To: Dmitry Kasatkin <dmitry.kasatkin@...il.com> Cc: Josh Boyer <jwboyer@...hat.com>, David Howells <dhowells@...hat.com>, Mimi Zohar <zohar@...ux.vnet.ibm.com>, Dmitry Kasatkin <d.kasatkin@...sung.com>, keyrings <keyrings@...ux-nfs.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, linux-security-module <linux-security-module@...r.kernel.org> Subject: Re: [PATCH 0/4] KEYS: validate key trust with owner and builtin keys only On Wed, Jun 11, 2014 at 12:34:28AM +0300, Dmitry Kasatkin wrote: > My statement is still valid. It is a hole... > > To prevent the hole it should be explained that one might follow > certain instructions > to take ownership of your PC. Generate your own keys and remove MS and > Vendor ones... The hole is that the system trusts keys that you don't trust. The appropriate thing to do is to remove that trust from the entire system, not just one layer of the system. If people gain the impression that they can simply pass a kernel parameter and avoid trusting the vendor keys, they'll be upset to discover that it's easily circumvented. -- Matthew Garrett | mjg59@...f.ucam.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists