Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Paolo Bonzini
Date: Wed Feb 13 2013 - 14:56:08 EST

Next message: Linus Torvalds: "Re: Debugging Thinkpad T430s occasional suspend failure."
Previous message: Peter Hurley: "[PATCH] pps: Fix build breakage from decoupling pps from tty"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Il 13/02/2013 18:22, H. Peter Anvin ha scritto:
>>
>> On non-x86 machines CAP_SYS_RAWIO is much less dangerous, especially
>> when coupled with file DAC.

Discretionary Access Control.

> Either way, I think you are at best deluded and more like you just
> completely wrong about CAP_SYS_RAWIO being "less dangerous on non-x86
> machines". With the possible exception of s390 I suspect it is, in
> fact, more dangerous.

I may well be wrong, but as a quick data point CAP_SYS_RAWIO has no
occurrences in arch/ except arch/x86. Of course a lot of driver
functionality will be limited to CAP_SYS_RAWIO, but usually this
requires having a file descriptor for some file.

Paolo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Linus Torvalds: "Re: Debugging Thinkpad T430s occasional suspend failure."
Previous message: Peter Hurley: "[PATCH] pps: Fix build breakage from decoupling pps from tty"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]