Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Kees Cook
Date: Fri Feb 08 2013 - 16:02:24 EST

On Fri, Feb 8, 2013 at 12:34 PM, Matthew Garrett
<matthew.garrett@xxxxxxxxxx> wrote:
> On Fri, 2013-02-08 at 12:28 -0800, Kees Cook wrote:
>> Maybe a capability isn't the right way to go, I'm not sure. I'll leave
>> that to Matthew. Whatever the flag, it should be an immutable state of
>> the boot. Though, it probably makes sense as a cap just so that
>> non-secure-boot systems can still remove it from containers, etc.
> There was interest in ensuring that this wasn't something special-cased
> to UEFI Secure Boot, so using a capability seemed like the most
> straightforward way - it's fundamentally a restriction on what an
> otherwise privileged user is able to do, so it seemed like it fit the
> model. But I'm not wed to it in the slightest, and in fact it causes
> problems for some userspace (anything that drops all capabilities
> suddenly finds itself unable to do something that it expects to be able
> to do), so if anyone has any suggestions for a better approach…

I don't find it unreasonable to drop all caps and lose access to
sensitive things. :) That's sort of the point, really. I think a cap
is the best match. It seems like it should either be a cap or a
namespace flag, but the latter seems messy.


Kees Cook
Chrome OS Security
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at