|
From: | Vladimir 'phcoder' Serbinenko |
Subject: | Re: [PATCH 1/3] Move verifiers to the kernel |
Date: | Thu, 15 Jun 2017 01:52:14 +0000 |
On Wed, Jun 14, 2017 at 06:34:38PM -0700, Vladimir 'phcoder' Serbinenko wrote:
> This bid at odds with the need to keep kernel small. Why not just put
> verifiers as the first module to load? Presumably you need to verify the
> whole core in either case.
They're not useful as an external module, so they need to be built into
the core image in any case (otherwise an attacker just replaces the
verifier module…).
if you're making the ordering significant,
it's far too easy for someone to mess up and end up with an insecure
system as a result.
--
Matthew Garrett | address@hidden
_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel
[Prev in Thread] | Current Thread | [Next in Thread] |