From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755039AbbCPWp5 (ORCPT ); Mon, 16 Mar 2015 18:45:57 -0400 Received: from mail-bn1bon0113.outbound.protection.outlook.com ([157.56.111.113]:58177 "EHLO na01-bn1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932413AbbCPWpv (ORCPT ); Mon, 16 Mar 2015 18:45:51 -0400 From: Matthew Garrett To: "david@lang.hm" CC: "keescook@chromium.org" , "linux-kernel@vger.kernel.org" , "james.l.morris@oracle.com" , "gnomes@lxorguk.ukuu.org.uk" , "serge@hallyn.com" , "linux-security-module@vger.kernel.org" , "hpa@zytor.com" Subject: Re: Trusted kernel patchset Thread-Topic: Trusted kernel patchset Thread-Index: AQHQX/fTAooV4Q4CdEWM7HLx0fA65p0fkbZAgAAJ4AA= Date: Mon, 16 Mar 2015 21:11:27 +0000 Message-ID: <1426540286.22371.29.camel@nebula.com> References: <1426282708-21485-1-git-send-email-matthew.garrett@nebula.com> <20150316144504.4e013789@lxorguk.ukuu.org.uk> <1426529700.22371.20.camel@nebula.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2602:243:200f:a923:3e97:eff:fe42:415e] authentication-results: lang.hm; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB421; x-forefront-antispam-report: BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(51704005)(377424004)(24454002)(2900100001)(62966003)(2950100001)(2656002)(50986999)(77156002)(102836002)(122556002)(93886004)(40100003)(92566002)(36756003)(76176999)(87936001)(2501003)(54356999)(46102003)(99286002)(103116003)(86362001)(2351001)(33646002)(110136001)(106116001)(3826002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN1PR05MB421;H:BN1PR05MB423.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5002010)(5005006);SRVR:BN1PR05MB421;BCL:0;PCL:0;RULEID:;SRVR:BN1PR05MB421; x-forefront-prvs: 05177D47DC Content-Type: text/plain; charset="utf-8" Content-ID: <065043D131482841BA324E4C5313EC02@namprd05.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: nebula.com X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2015 21:11:27.5880 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: d9cc6df8-58db-46f5-bf3e-083732d8ac63 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR05MB421 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id t2GMk1bI029619 On Mon, 2015-03-16 at 13:35 -0700, David Lang wrote: > On Mon, 16 Mar 2015, Matthew Garrett wrote: > > That's one implementation. Another is the kernel being stored on > > non-volatile media. > > Anything that encourages deploying systems that can't be upgraded to fix bugs > that are discovered is a problem. > > This is an issue that the Internet of Things folks are just starting to notice, > and it's only going to get worse before it gets better. > > How do you patch bugs on your non-volitile media? What keeps that mechansim from > being abused. Nothing stops people from deploying kernels on non-volatile media right now. This doesn't change anything. {.n++%ݶw{.n+{G{ayʇڙ,jfhz_(階ݢj"mG?&~iOzv^m ?I