Re: Trusted kernel patchset

From: Matthew Garrett
Date: Tue Mar 17 2015 - 16:43:02 EST


On Tue, 2015-03-17 at 20:22 +0000, Simon McVittie wrote:

> Is the intention instead that it will make privileged bits of userland
> more careful to avoid breaking the trust chain in ways that would "fail
> safe" by refusing to boot?

Not really. It's intended to avoid the situation where privileged
userspace is able to modify the running kernel to an extent that's
broadly equivalent to booting an arbitrary kernel.