Re: Trusted kernel patchset for Secure Boot lockdown

From: Matthew Garrett
Date: Fri Mar 14 2014 - 15:25:12 EST

Next message: Mark Brown: "Re: [PATCH 2/4] power_supply: Introduce generic psy charging driver"
Previous message: Oleg Nesterov: "Re: pppd service crash in linux-3.13.6"
In reply to: Matthew Garrett: "Re: Trusted kernel patchset for Secure Boot lockdown"
Next in thread: David Lang: "Re: Trusted kernel patchset for Secure Boot lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2014-03-14 at 14:11 -0400, Matthew Garrett wrote:

> The fact that you keep saying measured really does make me suspect that
> you misunderstand the problem. There's no measurement involved, there's
> simply an assertion that the firmware (which you're forced to trust)
> chose, via some policy you may be unaware of, to trust the booted
> kernel.

As an example, imagine a platform with the bootloader and kernel on
read-only media. The platform can assert that the kernel is trusted even
if there's no measurement of the kernel.

--
Matthew Garrett <matthew.garrett@xxxxxxxxxx>
N‹§²æ¸›yú²X¬¶ÇvØ–)Þ{.nÇ‰·¥Š{±‘êX§¶›¡Ü}©ž²ÆzÚj:+v‰¨¾«‘êZ+€Êzf£¢·hšˆ§~††Ûÿû®w¥¢¸?™¨è&¢)ßf”ùy§m…á«a¶Úÿ0¶ìå

Next message: Mark Brown: "Re: [PATCH 2/4] power_supply: Introduce generic psy charging driver"
Previous message: Oleg Nesterov: "Re: pppd service crash in linux-3.13.6"
In reply to: Matthew Garrett: "Re: Trusted kernel patchset for Secure Boot lockdown"
Next in thread: David Lang: "Re: Trusted kernel patchset for Secure Boot lockdown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]