Re: [PATCH 0/10] Add additional security checks when module loading is restricted

rnel.org, linux-...@vger.kernel.org, > >> jwbo...@redhat.com, keesc...@chromium.org > >> Sent: Wednesday, August 28, 2013 6:41:55 PM > >> Subject: Re: [PATCH 0/10] Add additional security checks when module > >> loading is restricted > >> > &

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

On Wed, 2013-08-28 at 16:07 -0700, Kees Cook wrote: > Strictly speaking, RAM contents are not available via /dev/*mem, even > to root. However, you can request a suspend image be written, but to > not enter hibernation. Then modify the image, and request a resume > from it. Is that true? Oh, hm -

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

chromium.org >> Sent: Wednesday, August 28, 2013 6:41:55 PM >> Subject: Re: [PATCH 0/10] Add additional security checks when module loading >> is restricted >> >> On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote: >> >> > Did you purposely

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

On Wed, 2013-08-28 at 18:58 -0400, Lenny Szubowicz wrote: > I'm root. So I can write anything I want to the swap file that looks > like a valid hibernate image but is code of my choosing. I can read > anything I need from /dev/mem or /dev/kmem to help me do that. > I can then immediately initiate

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

- Original Message - > From: "Matthew Garrett" > To: "Lenny Szubowicz" > Cc: linux-kernel@vger.kernel.org, linux-...@vger.kernel.org, > jwbo...@redhat.com, keesc...@chromium.org > Sent: Wednesday, August 28, 2013 6:41:55 PM > Subject: Re: [PATC

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

On Wed, 2013-08-28 at 18:37 -0400, Lenny Szubowicz wrote: > Did you purposely exclude similar checks for hibernate that were covered > by earlier versions of your patch set? Yes, I think it's worth tying it in with the encrypted hibernation support. The local attack is significantly harder in the

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

- Original Message - > From: "Matthew Garrett" > To: linux-kernel@vger.kernel.org > Cc: linux-...@vger.kernel.org, jwbo...@redhat.com, keesc...@chromium.org > Sent: Monday, August 19, 2013 1:26:01 PM > Subject: [PATCH 0/10] Add additional security checks when module loading is > restric

Re: [PATCH 0/10] Add additional security checks when module loading is restricted

On Mon, Aug 19, 2013 at 10:26 AM, Matthew Garrett wrote: > We have two in-kernel mechanisms for restricting module loading - disabling > it entirely, or limiting it to the loading of modules signed with a trusted > key. These can both be configured in such a way that even root is unable to > relax