[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
Josh Boyer
jwboyer at redhat.com
Thu Jun 21 23:02:35 UTC 2012
On Thu, Jun 21, 2012 at 10:43:06PM +0100, David Howells wrote:
> Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
>
> > We need to talk about what the kernel needs to provide for UEFI secure
> > boot to be possible, since the alternative is miserable failure and
> > Linux no longer working on x86 unless people play with the firmware.
> > That's going to involve at the very least locking down module loading
> > and various kernel interfaces, but figuring out what else needs to be
> > covered is fairly important.
>
> Yep. I was about to propose discussing secure boot too.
>
> I've been working on module signing that provides one part of this. We (Red
> Hat) have tested the fundamentals in RHEL-4, -5 and -6 and now in Rawhide. I
> have a set of patches that seems to work very well, but Rusty has decided to
> take a small issue with one bit of. It's a matter of the trade-offs you want
> to choose.
I'd also like to participate in that discussion.
Primarily, I'd like to figure out exactly which path to go on getting
the modsign patches into the kernel, and then expanding (if needed) on
that to support Secure Boot.
josh
More information about the Ksummit-2012-discuss
mailing list