Re: kexec_load(2) bypasses signature verification

[One Thousand Gnomes]

> [1] Yes, it doesn't buy all that much, since if the system is rooted
> the adversary can just replace the kernel in /boot and force a normal,
> slower reboot, but the same could be said for signed modules --- the
> adversary could just replace all of /boot/vmlinux-<kver> and
> /lib/modules/<kver>.  But both measures make it a tad more bit
> difficult, especially for the adversary to do this replacement without
> being noticed (for example linode will send me e-mail if the system
> reboots normally, but not with a kexec-mediated reboot), and for cloud
> systems where we don't have secure boot anyway, it's about the best we
> can do.

It's about the same as the protection offered by the "secure" boot
patches I've seen because they don't block all kernel boot parameters
except a whitelist and because there are a pile of other fairly
fundamental problems that probably require you also sign the root file
system, which is itself a world of pain.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/