Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Matthew Garrett
Date: Wed Feb 13 2013 - 21:47:18 EST

Next message: Andrew Bartlett: "Read support for fat_fallocate()? (was [v2] fat: editions tosupport fat_fallocate())"
Previous message: Peter Huewe: "[PATCH] staging/wlan-ng: Fix 'Branch condition evaluates to a garbage value' in p80211netdev.c"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Casey Schaufler: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2013-02-13 at 17:08 -0800, H. Peter Anvin wrote:

> Well, for at least things with device nodes (/dev/mem, /dev/msr and so
> on) it should be possible, no? ioperm() and iopl() are another matter.

Sure, if we can guarantee that a signed userspace loads a signed SELinux
policy before any unsigned code runs. But, realistically, that's not
going to be possible.

--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
èº{.nÇ+‰·Ÿ®‰†+%ŠËlzwm…ébëæìr¸›zX§»®w¥Š{ayºÊÚë,j¢f£¢·hš‹àz¹®w¥¢¸¢·¦j:+v‰¨ŠwèjØm¶Ÿÿ¾«‘êçzZ+ƒùšŽŠÝj"ú!¶iO•æ¬z·švØ^¶m§ÿðÃnÆàþY&—

Next message: Andrew Bartlett: "Read support for fat_fallocate()? (was [v2] fat: editions tosupport fat_fallocate())"
Previous message: Peter Huewe: "[PATCH] staging/wlan-ng: Fix 'Branch condition evaluates to a garbage value' in p80211netdev.c"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Casey Schaufler: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]