[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

Matthew Garrett mjg59 at srcf.ucam.org
Sat Jun 23 14:47:53 UTC 2012


On Sat, Jun 23, 2012 at 05:15:19PM +0800, Cong Wang wrote:
> On Fri, Jun 22, 2012 at 1:48 PM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> > Kexec kernels are going to have to be signed in the same way that
> > modules are, but I suspect there's also some subtleties in the handover
> > protocol.
> >
> 
> At least /sbin/kexec needs to be patched to verify the sign key?

We can't trust userspace verification. The kernel needs to verify it as 
well.

-- 
Matthew Garrett | mjg59 at srcf.ucam.org


More information about the Ksummit-2012-discuss mailing list