[PATCH] kexec: Disable at runtime if the kernel enforces module signing
Matthew Garrett
matthew.garrett at nebula.com
Fri Aug 9 12:11:09 EDT 2013
On Fri, 2013-08-09 at 11:35 -0400, Vivek Goyal wrote:
> Also what about all the other patches you had for secureboot where you
> closed down all the paths where root could write to kernel memory. So
> if you want to protect sig_enforce boolean, then you need to close down
> all these paths irrespective of secureboot?
Fair point. The bar is slightly higher there, but yes, it seems
reasonable to say that enforcing module signing (and, come to think of
it, modules_disabled) should also lock down the other obvious mechanisms
for root to get code into the kernel.
--
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the kexec
mailing list