| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20150615131728.GK15793@thunk.org> Date: Mon, 15 Jun 2015 09:17:28 -0400 From: Theodore Ts'o <tytso@....edu> To: Josh Boyer <jwboyer@...oraproject.org> Cc: Eric Biederman <ebiederm@...ssion.com>, David Howells <dhowells@...hat.com>, kexec <kexec@...ts.infradead.org>, "Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org> Subject: Re: kexec_load(2) bypasses signature verification On Mon, Jun 15, 2015 at 08:14:19AM -0400, Josh Boyer wrote: > Yes, which is why most of the distro vendors carry an out-of-tree > patch that disables the old kexec in an SB setup. It would be nice if > we could merge said patches. However, they depend on Matthew's > secure_modules/trusted_kernel/<whatever name that works> patchset > which has gotten little movement since we came up with a tentative > agreement at LPC 2013. Signed modules is in, though, right? And the fact that we have CONFIG_SIGNED_PE_FILE_VERIFICATION means we're doing unatural file signatures w/o using ELF, which I thought was the basis of Linus's accusation that Red Hat was performing intimate/physical acts with Microsoft. :-) I would have thought those were the nasty bits to get in; out of curiosity, what's still missing? Regards, - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists