[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.02.1503161333140.32001@nftneq.ynat.uz>
Date: Mon, 16 Mar 2015 13:35:33 -0700 (PDT)
From: David Lang <david@...g.hm>
To: Matthew Garrett <matthew.garrett@...ula.com>
cc: "gnomes@...rguk.ukuu.org.uk" <gnomes@...rguk.ukuu.org.uk>,
"keescook@...omium.org" <keescook@...omium.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"james.l.morris@...cle.com" <james.l.morris@...cle.com>,
"serge@...lyn.com" <serge@...lyn.com>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
"hpa@...or.com" <hpa@...or.com>
Subject: Re: Trusted kernel patchset
On Mon, 16 Mar 2015, Matthew Garrett wrote:
> On Mon, 2015-03-16 at 14:45 +0000, One Thousand Gnomes wrote:
>> On Fri, 13 Mar 2015 11:38:16 -1000
>> Matthew Garrett <matthew.garrett@...ula.com> wrote:
>>
>>> 4) Used the word "measured"
>>>
>>> Nothing is being measured.
>>
>> Nothing is being trusted either. It's simple ensuring you probably have
>> the same holes as before.
>>
>> Also the boot loader should be measuring the kernel before it runs it,
>> thats how it knows the signature is correct.
>
> That's one implementation. Another is the kernel being stored on
> non-volatile media.
Anything that encourages deploying systems that can't be upgraded to fix bugs
that are discovered is a problem.
This is an issue that the Internet of Things folks are just starting to notice,
and it's only going to get worse before it gets better.
How do you patch bugs on your non-volitile media? What keeps that mechansim from
being abused.
David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists