From: Matthew Garrett <mjg59@srcf.ucam.org>
To: ksummit-discuss@lists.linuxfoundation.org
Subject: [Ksummit-discuss] [CORE TOPIC] Trusted kernel patchset
Date: Wed, 7 May 2014 19:03:15 +0100 [thread overview]
Message-ID: <20140507180315.GA926@srcf.ucam.org> (raw)
(Posting as core rather than tech because I suspect this is more
political than technical at this point)
Most major distributions ship these. There is strong demand from Google,
who want to use them in a use-case that has nothing to do with UEFI
Secure Boot. Making a distinction between root and kernel security is a
necessary part of securing a boot chain[1].
Yet, after apparently gaining at least a rough consensus at LPC last
year, we're now at the point where there's yet another suggestion for
how to rewrite them but absolutely nobody showing any signs of being
willing to do that work or any agreement from anyone in the security
community that entirely reworking capabilities is either practical or
desirable.
It'd be nice to have this done before August, but given that all
previous attempts to actually get it unblocked on mailing lists have
failed maybe we should talk about it in person. Again.
[1] See: the large number of people running modified kernels on their
Android devices by using the signed vendor kernel to kexec them. Great
for freedom, bad for the guarantees you were attempting to provide
regarding trusted code
--
Matthew Garrett | mjg59@srcf.ucam.org
next reply other threads:[~2014-05-07 18:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-07 18:03 Matthew Garrett [this message]
2014-05-07 18:14 ` Josh Boyer
2014-05-07 18:53 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140507180315.GA926@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=ksummit-discuss@lists.linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox