[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security
jkosina at suse.cz
Fri Jun 29 16:59:32 UTC 2012
On Fri, 29 Jun 2012, Guenter Roeck wrote:
> > > As far as I know, secure boot is not only for booting but it also
> > > including authentication of all executable binaries include
> > > applications. Thus, the user can't execute any untrusted (not-signed)
> > > binary and programs, as like as viruses, (unauthenticated:))malwares.
> > No, it doesn't imply any signing of userspace.
> Are there any plans to add support for signed binaries, similar to what
> the digsig module used to provide ?
I highly doubt that this will be useful in practice.
- how about all the interpreted stuff (bash, perl, awk, ...)? I don't
think you can get rid of those completely except for very very
specialized systems (and those you can often just have on some R/O only
- hooking execve() definitely is not enough, you'd have to have a complete
support in the userspace toolchain (think of dlopen(), or dynamic
linking in general)
- you'd forbid strace() completely on such system, right?
More information about the Ksummit-2012-discuss