[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

Konrad Rzeszutek Wilk konrad at darnok.org
Thu Jun 21 23:07:05 UTC 2012


On Thu, Jun 21, 2012 at 7:02 PM, Josh Boyer <jwboyer at redhat.com> wrote:
> On Thu, Jun 21, 2012 at 10:43:06PM +0100, David Howells wrote:
>> Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
>>
>> > We need to talk about what the kernel needs to provide for UEFI secure
>> > boot to be possible, since the alternative is miserable failure and
>> > Linux no longer working on x86 unless people play with the firmware.
>> > That's going to involve at the very least locking down module loading
>> > and various kernel interfaces, but figuring out what else needs to be
>> > covered is fairly important.
>>
>> Yep.  I was about to propose discussing secure boot too.
>>
>> I've been working on module signing that provides one part of this.  We (Red
>> Hat) have tested the fundamentals in RHEL-4, -5 and -6 and now in Rawhide.  I
>> have a set of patches that seems to work very well, but Rusty has decided to
>> take a small issue with one bit of.  It's a matter of the trade-offs you want
>> to choose.
>
> I'd also like to participate in that discussion.
>
> Primarily, I'd like to figure out exactly which path to go on getting
> the modsign patches into the kernel, and then expanding (if needed) on
> that to support Secure Boot.

Ditto here. I am more interested in how the secure boot loader will
work with different kernels - say NetBSD or pxe/iso linux.


More information about the Ksummit-2012-discuss mailing list