Re: [PATCH] kexec: Disable at runtime if the kernel enforces module signing

[Matthew Garrett <matthew.garrett@nebula.com>]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 770 bytes --]

On Fri, 2013-08-09 at 11:35 -0400, Vivek Goyal wrote:

> Also what about all the other patches you had for secureboot where you
> closed down all the paths where root could write to kernel memory. So
> if you want to protect sig_enforce boolean, then you need to close down
> all these paths irrespective of secureboot?

Fair point. The bar is slightly higher there, but yes, it seems
reasonable to say that enforcing module signing (and, come to think of
it, modules_disabled) should also lock down the other obvious mechanisms
for root to get code into the kernel.

-- 
Matthew Garrett | mjg59@srcf.ucam.org
ÿôèº{.nÇ+‰·Ÿ®‰­†+%ŠËÿ±éݶ\x17¥Šwÿº{.nÇ+‰·¥Š{±þG«éÿŠ{ayº\x1dʇڙë,j\a­¢f£¢·hšïêÿ‘êçz_è®\x03(­éšŽŠÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?™¨è­Ú&£ø§~á¶iO•æ¬z·švØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?–I¥