Re: [PATCH] x86: Lock down MSR writing in secure boot
From: Matthew Garrett
Date: Wed Feb 13 2013 - 21:47:18 EST
On Wed, 2013-02-13 at 17:08 -0800, H. Peter Anvin wrote:
> Well, for at least things with device nodes (/dev/mem, /dev/msr and so
> on) it should be possible, no? ioperm() and iopl() are another matter.
Sure, if we can guarantee that a signed userspace loads a signed SELinux
policy before any unsigned code runs. But, realistically, that's not
going to be possible.
--
Matthew Garrett | mjg59@xxxxxxxxxxxxx
èº{.nÇ+·®+%Ëlzwm
ébëæìr¸zX§»®w¥{ayºÊÚë,j¢f£¢·hàz¹®w¥¢¸¢·¦j:+v¨wèjØm¶ÿ¾«êçzZ+ùÝj"ú!¶iOæ¬z·vØ^¶m§ÿðÃnÆàþY&