Re: RFC: Tainting the kernel on raw I/O access

[One Thousand Gnomes]

On Wed, 03 Sep 2014 15:25:32 -0700
"H. Peter Anvin" <h.peter.anvin@xxxxxxxxx> wrote:

> On 09/03/2014 03:20 PM, One Thousand Gnomes wrote:
> > 
> > If you just want some "detector bits" for bug report filtering them its
> > quite a different need to fixing "secure" boot mode. Even in the detector
> > bits case there should be an overall plan and some defined properties
> > that provide the security and which you can show should always be true.
> > 
> 
> As far as I'm concerning this is just a set of "detector bits".  My
> observation was simply that this is a *subset* of what "secure boot"
> will eventually need.

I think that observation is untrue. The only partially overap.
 
> (As far as I'm concerned, I'd be happy tainting the kernel for any
> operation that requires CAP_RAWIO, but maybe that is too extreme.)

You can't then for example format some types of disk in your data center.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/