Re: [PATCH] x86: Lock down MSR writing in secure boot

From: H. Peter Anvin
Date: Wed Feb 13 2013 - 17:25:40 EST

On 02/13/2013 11:55 AM, Paolo Bonzini wrote:
Il 13/02/2013 18:22, H. Peter Anvin ha scritto:

On non-x86 machines CAP_SYS_RAWIO is much less dangerous, especially
when coupled with file DAC.

Discretionary Access Control.

Either way, I think you are at best deluded and more like you just
completely wrong about CAP_SYS_RAWIO being "less dangerous on non-x86
machines". With the possible exception of s390 I suspect it is, in
fact, more dangerous.

I may well be wrong, but as a quick data point CAP_SYS_RAWIO has no
occurrences in arch/ except arch/x86. Of course a lot of driver
functionality will be limited to CAP_SYS_RAWIO, but usually this
requires having a file descriptor for some file.

Well, yes, although that could include /dev/mem.


H. Peter Anvin, Intel Open Source Technology Center
I work for Intel. I don't speak on their behalf.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at