Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Matthew Garrett
Date: Fri Feb 08 2013 - 16:07:35 EST


On Fri, 2013-02-08 at 13:02 -0800, Kees Cook wrote:

> I don't find it unreasonable to drop all caps and lose access to
> sensitive things. :) That's sort of the point, really. I think a cap
> is the best match. It seems like it should either be a cap or a
> namespace flag, but the latter seems messy.

Yeah, I think it's an expected outcome, but it means that if (say) qemu
drops privileges, qemu can no longer access PCI resources - even on
non-secure boot systems. That breaks existing userspace.
èº{.nÇ+‰·Ÿ®‰­†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j­¢f£¢·hš‹àz¹®w¥¢¸ ¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðà nÆàþY&—