Re: [PATCH] x86: Lock down MSR writing in secure boot

From: Borislav Petkov
Date: Fri Feb 08 2013 - 18:07:12 EST

Next message: Rafael J. Wysocki: "Re: [PATCH] Documentation / acpi: refer to correct file for acpi_platform_device_ids[] table"
Previous message: Grant Likely: "Re: [PATCH 4/4] serial/arc-uart: switch to devicetree based probing"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Matthew Garrett: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Feb 08, 2013 at 02:30:52PM -0800, H. Peter Anvin wrote:
> Also, keep in mind that there is a very simple way to deny MSR access
> completely, which is to not include the driver in your kernel (and not
> allow module loading, but if you can load modules you can just load a
> module to muck with whatever MSR you want.)

I was contemplating that too. What is the use case of having
msr.ko in a secure boot environment? Isn't that an all-no-tools,
you-can't-do-sh*t-except-what-you're-explicitly-allowed-to environment which
simply doesn't need to write MSRs in the first place?

--
Regards/Gruss,
Boris.

Sent from a fat crate under my desk. Formatting is fine.
--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rafael J. Wysocki: "Re: [PATCH] Documentation / acpi: refer to correct file for acpi_platform_device_ids[] table"
Previous message: Grant Likely: "Re: [PATCH 4/4] serial/arc-uart: switch to devicetree based probing"
In reply to: H. Peter Anvin: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Next in thread: Matthew Garrett: "Re: [PATCH] x86: Lock down MSR writing in secure boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]