grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 1/3] Move verifiers to the kernel

From: Vladimir 'phcoder' Serbinenko
Subject: Re: [PATCH 1/3] Move verifiers to the kernel
Date: Thu, 15 Jun 2017 01:52:14 +0000


On Thu, Jun 15, 2017, 03:49 Matthew Garrett <address@hidden> wrote:
On Wed, Jun 14, 2017 at 06:34:38PM -0700, Vladimir 'phcoder' Serbinenko wrote:

> This bid at odds with the need to keep kernel small. Why not just put
> verifiers as the first module to load? Presumably you need to verify the
> whole core in either case.

They're not useful as an external module, so they need to be built into
the core image in any case (otherwise an attacker just replaces the
verifier module…).
Yes, part of core image, that's what I meant
 if you're making the ordering significant,
it's far too easy for someone to mess up and end up with an insecure
system as a result.
Adding them would be part of grub-install, not manual by user.

--
Matthew Garrett | address@hidden

_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel
reply via email to
[Prev in Thread] Current Thread [Next in Thread]