Vivek Goyal writes:
> On Tue, Oct 23, 2012 at 11:04:29AM +0900, Simon Horman wrote:
>> On Mon, Oct 22, 2012 at 04:43:39PM -0400, Vivek Goyal wrote:
>> > On Fri, Oct 19, 2012 at 10:31:12AM -0400, Vivek Goyal wrote:
>> >
>> > [..]
>> > > - What happens to purgatory code. It is unsigned piece of co
Matthew Garrett writes:
> On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
>
>> But what about creation of a new program which can call kexec_load()
>> and execute an unsigned kernel. Doesn't look like that will be
>> prevented using IMA.
>
> Right. Trusting userspace would require a
On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> Hogwash. The kernel verifing a signature of /sbin/kexec at exec time is
> perfectly reasonable, and realistic. In fact finding a way to trust
> small bits of userspace even if root is compromised seems a far superior
> model to
On Tue, Oct 23, 2012 at 09:26:32AM -0700, Eric W. Biederman wrote:
[..]
> > I think this will be a new parallel path and this new path should be taken
> > only on kernel booted with secure boot enabled. (Either automatically or
> > by using some kexec command line option). So nothing should be bro
2012/10/23 Vivek Goyal :
> On Tue, Oct 23, 2012 at 09:26:32AM -0700, Eric W. Biederman wrote:
>
> [..]
>> > I think this will be a new parallel path and this new path should be taken
>> > only on kernel booted with secure boot enabled. (Either automatically or
>> > by using some kexec command line
On Tue, Oct 23, 2012 at 11:11:05PM +0400, Maxim Uvarov wrote:
> 2012/10/23 Vivek Goyal :
> > On Tue, Oct 23, 2012 at 09:26:32AM -0700, Eric W. Biederman wrote:
> >
> > [..]
> >> > I think this will be a new parallel path and this new path should be
> >> > taken
> >> > only on kernel booted with se
On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> Matthew Garrett writes:
>
> > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
> >
> >> But what about creation of a new program which can call kexec_load()
> >> and execute an unsigned kernel. Doesn't look like that
On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > Matthew Garrett writes:
> >
> > > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
> > >
> > >> But what about creation of a new program which can call kexec_
On Wed, Oct 24, 2012 at 10:43 PM, Mimi Zohar wrote:
> On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
>> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
>> > Matthew Garrett writes:
>> >
>> > > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
>> > >
>> > >> Bu
On Wed, 2012-10-24 at 23:44 -0700, Kees Cook wrote:
> On Wed, Oct 24, 2012 at 10:43 PM, Mimi Zohar wrote:
> > On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> >> On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> >> > Matthew Garrett writes:
> >> >
> >> > > On Tue, Oct 23
On Thu, Oct 25, 2012 at 01:43:59AM -0400, Mimi Zohar wrote:
> On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> > On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > > Matthew Garrett writes:
> > >
> > > > On Tue, Oct 23, 2012 at 10:59:20AM -0400, Vivek Goyal wrote:
> > >
On Thu, 2012-10-25 at 09:54 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 01:43:59AM -0400, Mimi Zohar wrote:
> > On Wed, 2012-10-24 at 13:19 -0400, Vivek Goyal wrote:
> > > On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote:
> > > > Matthew Garrett writes:
> > > >
> > > > >
12 matches
Mail list logo
