Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation.

From: Jaskaran Singh Khurana
Date: Fri Jun 28 2019 - 19:27:31 EST



Hello Eric,

On Fri, 28 Jun 2019, Eric Biggers wrote:

In a datacenter like environment, this will protect the system from below
attacks:

1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
2.Prevents physically present malicious admin to run arbitrary code on the
machine.

Regards,
Jaskaran

So you are trying to protect against people who already have a root shell?

Can't they just e.g. run /usr/bin/python and type in some Python code?

Or run /usr/bin/curl and upload all your secret data to their server.

- Eric


You are correct, it would not be feasible for a general purpose distro, but for embedded systems and other cases where there is a more tightly locked-down system.

Regards,
Jaskaran.