[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

Guenter Roeck linux at roeck-us.net
Wed Jun 27 18:29:44 UTC 2012


On Wed, Jun 27, 2012 at 07:22:26PM +0100, Matthew Garrett wrote:
> On Wed, Jun 27, 2012 at 11:20:54AM -0700, Stephen Hemminger wrote:
> 
> > It is even worse that that. What about hardware that has test
> > registers. I know of boards that have ability to write DMA to arbitrary
> > locations by programing the registers.  This means it would be impossible
> > to allow this PCI space to be written from user mode processes. Extending
> > that to the general case, it would make user mode control of hardware
> > illegal. Probably need to disable all userspace device access if doing
> > this crap. Alternatively, we have to add another security layer to deal
> > with signed applications.
> 
> Yes, no PCI access from userspace. My current patchset is 
> http://www.codon.org.uk/~mjg59/tmp/ftsoefi/
> 
In dealing with networking companies, I have seen 1) the desire to write many if
not all PCI drivers as userspace drivers (please, don't shoot the messenger - I
neither like nor approve that idea), and 2) to have a signed kernel as well as
signed applications. Given that, I think it would be useful to permit PCI device
access by signed applications.

Guenter


More information about the Ksummit-2012-discuss mailing list