[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
Michael S. Tsirkin
mst at redhat.com
Wed Jun 27 21:04:38 UTC 2012
On Wed, Jun 27, 2012 at 01:37:50PM -0400, Steven Rostedt wrote:
> On Wed, 2012-06-27 at 19:28 +0200, Jiri Kosina wrote:
> > On Wed, 27 Jun 2012, Matthew Garrett wrote:
> >
> > > If anything's able to write into kernel memory then I think we've
> > > already got fairly significant problems. The model I was envisaging
> > > would involve the kernel verifying the kdump kernel when userspace loads
> > > it.
> >
> > It's not an exception when kernel security vulnerability gives the
> > attacker the possibility to overwrite arbitrary memory locations. As UEFI
> > secure boot is apparently not able to provide any
> > protection/countermeasure against this, I am really wondering what it is
> > good for in reality.
> >
>
> Exactly. As soon as any signed kernel (Windows, Linux or other) has a
> root hole that can modify kernel memory, the entire system has been
> compromised.
>
> Thus, what is this protecting? Just a bigger wall for crackers to leap
> over?
>
> -- Steve
Seems useful as a way to protect Linux from Windows in a dual boot setup.
Put Linux on an encrypted partition. If bootloader is protected I
could switch OSes: download and run random stuff on windows,
and be somewhat secure in the knowledge it can't infect
Linux.
--
MST
More information about the Ksummit-2012-discuss
mailing list