All of lore.kernel.org
 help / color / mirror / Atom feed
From: Matthew Garrett <matthew.garrett@nebula.com>
To: "david@lang.hm" <david@lang.hm>
Cc: "keescook@chromium.org" <keescook@chromium.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"james.l.morris@oracle.com" <james.l.morris@oracle.com>,
	"gnomes@lxorguk.ukuu.org.uk" <gnomes@lxorguk.ukuu.org.uk>,
	"serge@hallyn.com" <serge@hallyn.com>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"hpa@zytor.com" <hpa@zytor.com>
Subject: Re: Trusted kernel patchset
Date: Mon, 16 Mar 2015 21:11:27 +0000	[thread overview]
Message-ID: <1426540286.22371.29.camel@nebula.com> (raw)
In-Reply-To: <alpine.DEB.2.02.1503161333140.32001@nftneq.ynat.uz>

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 827 bytes --]

On Mon, 2015-03-16 at 13:35 -0700, David Lang wrote:
> On Mon, 16 Mar 2015, Matthew Garrett wrote:
> > That's one implementation. Another is the kernel being stored on
> > non-volatile media.
> 
> Anything that encourages deploying systems that can't be upgraded to fix bugs 
> that are discovered is a problem.
> 
> This is an issue that the Internet of Things folks are just starting to notice, 
> and it's only going to get worse before it gets better.
> 
> How do you patch bugs on your non-volitile media? What keeps that mechansim from 
> being abused.

Nothing stops people from deploying kernels on non-volatile media right
now. This doesn't change anything.
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥

  parent reply	other threads:[~2015-03-16 22:45 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-03-13 21:38 Trusted kernel patchset Matthew Garrett
2015-03-13 21:38 ` [PATCH 01/12] Add support for indicating that the booted kernel is externally trusted Matthew Garrett
2015-03-13 21:38 ` [PATCH 02/12] Enforce module signatures when trusted kernel is enabled Matthew Garrett
2015-03-13 21:38 ` [PATCH 03/12] PCI: Lock down register access when trusted_kernel is true Matthew Garrett
2015-03-13 21:38 ` [PATCH 04/12] x86: Lock down IO port " Matthew Garrett
2015-03-13 21:38 ` [PATCH 05/12] Restrict /dev/mem and /dev/kmem " Matthew Garrett
2015-03-13 21:38 ` [PATCH 06/12] acpi: Limit access to custom_method if " Matthew Garrett
2015-03-13 21:38 ` [PATCH 07/12] acpi: Ignore acpi_rsdp kernel parameter when " Matthew Garrett
2015-03-13 21:38 ` [PATCH 08/12] kexec: Disable loading of unverified images Matthew Garrett
2015-03-13 21:38 ` [PATCH 09/12] uswsusp: Disable when trusted_kernel is true Matthew Garrett
2015-03-16 21:36   ` Kees Cook
2015-03-16 21:40     ` Matthew Garrett
2015-03-13 21:38 ` [PATCH 10/12] x86: Restrict MSR access " Matthew Garrett
2015-03-13 21:38 ` [PATCH 11/12] asus-wmi: Restrict debugfs interface " Matthew Garrett
2015-03-13 21:38 ` [PATCH 12/12] Add option to automatically set trusted_kernel when in Secure Boot mode Matthew Garrett
2015-04-22 11:36   ` Dan Carpenter
2015-03-15  1:53 ` Trusted kernel patchset Matthew Garrett
2015-03-16 14:45 ` One Thousand Gnomes
2015-03-16 18:15   ` Matthew Garrett
2015-03-16 20:07     ` One Thousand Gnomes
2015-03-16 20:35     ` David Lang
2015-03-16 20:57       ` One Thousand Gnomes
2015-03-16 21:11       ` Matthew Garrett [this message]
2015-03-16 21:29     ` Kees Cook
2015-03-17 17:48       ` One Thousand Gnomes
2015-03-17 20:22       ` Simon McVittie
2015-03-17 20:42         ` Matthew Garrett
2015-03-18 11:34           ` Simon McVittie
2015-03-16 21:54     ` Jiri Kosina
2015-03-18 13:24       ` joeyli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1426540286.22371.29.camel@nebula.com \
    --to=matthew.garrett@nebula.com \
    --cc=david@lang.hm \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=hpa@zytor.com \
    --cc=james.l.morris@oracle.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=serge@hallyn.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.