From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from namei.org ([65.99.196.166]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hgYuo-0001q8-Ba for kexec@lists.infradead.org; Thu, 27 Jun 2019 18:14:35 +0000 Date: Fri, 28 Jun 2019 04:14:30 +1000 (AEST) From: James Morris Subject: Re: [PATCH V34 09/29] kexec_file: Restrict at runtime if the kernel is locked down In-Reply-To: Message-ID: References: <20190622000358.19895-1-matthewgarrett@google.com> <20190622000358.19895-10-matthewgarrett@google.com> MIME-Version: 1.0 List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "kexec" Errors-To: kexec-bounces+dwmw2=infradead.org@lists.infradead.org To: Matthew Garrett Cc: Jiri Bohac , Linux API , kexec@lists.infradead.org, Linux Kernel Mailing List , David Howells , LSM List On Thu, 27 Jun 2019, Matthew Garrett wrote: > By that metric, on a secure boot system how do we determine that code > running in the firmware environment wasn't compromised before it > launched the initial signed kernel? Remote attestation tied to a hardware root of trust, before allowing access to any further resources. -- James Morris _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec