[Ksummit-2012-discuss] [ATTEND] ACPI, UEFI, kernel security

Jiri Kosina jkosina at suse.cz
Fri Jun 29 16:59:32 UTC 2012


On Fri, 29 Jun 2012, Guenter Roeck wrote:

> > > As far as I know, secure boot is not only for booting but it also
> > > including authentication of all executable binaries include
> > > applications. Thus, the user can't execute any untrusted (not-signed)
> > > binary and programs, as like as viruses, (unauthenticated:))malwares.
> > 
> > No, it doesn't imply any signing of userspace.
> > 
> Are there any plans to add support for signed binaries, similar to what
> the digsig module used to provide ?

I highly doubt that this will be useful in practice.

- how about all the interpreted stuff (bash, perl, awk, ...)? I don't 
  think you can get rid of those completely except for very very 
  specialized systems (and those you can often just have on some R/O only 
  media anyway)
- hooking execve() definitely is not enough, you'd have to have a complete 
  support in the userspace toolchain (think of dlopen(), or dynamic 
  linking in general)
- you'd forbid strace() completely on such system, right?

-- 
Jiri Kosina
SUSE Labs


More information about the Ksummit-2012-discuss mailing list