Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation.

From: Jaskaran Singh Khurana
Date: Fri Jun 28 2019 - 19:27:31 EST

Next message: Kevin Hilman: "Re: [PATCH v1] arm: dts: mediatek: add basic support for MT7629 SoC"
Previous message: Randy Dunlap: "Re: [PATCH] f2fs: fix 32-bit linking"
In reply to: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Next in thread: James Morris: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Eric,

On Fri, 28 Jun 2019, Eric Biggers wrote:

In a datacenter like environment, this will protect the system from below
attacks:

1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
2.Prevents physically present malicious admin to run arbitrary code on the
machine.

Regards,
Jaskaran

So you are trying to protect against people who already have a root shell?

Can't they just e.g. run /usr/bin/python and type in some Python code?

Or run /usr/bin/curl and upload all your secret data to their server.

- Eric

You are correct, it would not be feasible for a general purpose distro, but for embedded systems and other cases where there is a more tightly locked-down system.

Regards,
Jaskaran.

Next message: Kevin Hilman: "Re: [PATCH v1] arm: dts: mediatek: add basic support for MT7629 SoC"
Previous message: Randy Dunlap: "Re: [PATCH] f2fs: fix 32-bit linking"
In reply to: Eric Biggers: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Next in thread: James Morris: "Re: [RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]