Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Kees Cook
Date: Sat Feb 09 2013 - 01:45:43 EST

Next message: Vineet Gupta: "Re: [PATCH 4/4] serial/arc-uart: switch to devicetree based probing"
Previous message: Peter Ujfalusi: "Re: [PATCH v2 09/11] mfd: twl-core: Collect global variables behindone private structure (global)"
In reply to: Matthew Garrett: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Borislav Petkov: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 8, 2013 at 5:29 PM, Matthew Garrett
<matthew.garrett@xxxxxxxxxx> wrote:
> On Fri, 2013-02-08 at 17:22 -0800, H. Peter Anvin wrote:
>
>> You don't have to build the kernel twice to exclude a loadable module.
>
> I guess you could just strip the signatures off any modules you don't
> want to support under Secure Boot, but that breaks some other use cases.

Also, _reading_ MSRs from userspace arguably has utility that doesn't
compromise ring-0. So excluding the driver entirely seems like
overkill.

-Kees

--
Kees Cook
Chrome OS Security
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Vineet Gupta: "Re: [PATCH 4/4] serial/arc-uart: switch to devicetree based probing"
Previous message: Peter Ujfalusi: "Re: [PATCH v2 09/11] mfd: twl-core: Collect global variables behindone private structure (global)"
In reply to: Matthew Garrett: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Borislav Petkov: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]