Re: [PATCH] x86: Lock down MSR writing in secure boot

From: H. Peter Anvin
Date: Wed Feb 13 2013 - 20:10:50 EST


On 02/13/2013 05:04 PM, Matthew Garrett wrote:
> On Wed, 2013-02-13 at 16:44 -0800, Casey Schaufler wrote:
>
>> If you want that sort of granularity throw yourself on the SELinux
>> bandwagon. Fine grained capabilities are insane and unmanageable
>> and will only lead to tears. Security is despised because of the
>> notion that making systems impossible to use is a good thing.
>
> SELinux is completely unusable for this specific case.
>

Well, for at least things with device nodes (/dev/mem, /dev/msr and so
on) it should be possible, no? ioperm() and iopl() are another matter.

-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/