Re: Trusted kernel patchset

From: David Lang
Date: Mon Mar 16 2015 - 16:36:19 EST

On Mon, 16 Mar 2015, Matthew Garrett wrote:

On Mon, 2015-03-16 at 14:45 +0000, One Thousand Gnomes wrote:
On Fri, 13 Mar 2015 11:38:16 -1000
Matthew Garrett <matthew.garrett@xxxxxxxxxx> wrote:

4) Used the word "measured"

Nothing is being measured.

Nothing is being trusted either. It's simple ensuring you probably have
the same holes as before.

Also the boot loader should be measuring the kernel before it runs it,
thats how it knows the signature is correct.

That's one implementation. Another is the kernel being stored on
non-volatile media.

Anything that encourages deploying systems that can't be upgraded to fix bugs that are discovered is a problem.

This is an issue that the Internet of Things folks are just starting to notice, and it's only going to get worse before it gets better.

How do you patch bugs on your non-volitile media? What keeps that mechansim from being abused.

David Lang
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at