On Thu, Jun 15, 2017, 03:49 Matthew Garrett <mj...@srcf.ucam.org> wrote:
> On Wed, Jun 14, 2017 at 06:34:38PM -0700, Vladimir 'phcoder' Serbinenko > wrote: > > > This bid at odds with the need to keep kernel small. Why not just put > > verifiers as the first module to load? Presumably you need to verify the > > whole core in either case. > > They're not useful as an external module, so they need to be built into > the core image in any case (otherwise an attacker just replaces the > verifier moduleā¦). Yes, part of core image, that's what I meant > if you're making the ordering significant, > it's far too easy for someone to mess up and end up with an insecure > system as a result. > Adding them would be part of grub-install, not manual by user. > > -- > Matthew Garrett | mj...@srcf.ucam.org > > _______________________________________________ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel >
_______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel