[RFC PATCH v5 0/1] Add dm verity root hash pkcs7 sig validation.
Jaskaran Singh Khurana
jaskarankhurana at linux.microsoft.com
Fri Jun 28 23:27:28 UTC 2019
Hello Eric,
On Fri, 28 Jun 2019, Eric Biggers wrote:
>> In a datacenter like environment, this will protect the system from below
>> attacks:
>>
>> 1.Prevents attacker from deploying scripts that run arbitrary executables on the system.
>> 2.Prevents physically present malicious admin to run arbitrary code on the
>> machine.
>>
>> Regards,
>> Jaskaran
>
> So you are trying to protect against people who already have a root shell?
>
> Can't they just e.g. run /usr/bin/python and type in some Python code?
>
> Or run /usr/bin/curl and upload all your secret data to their server.
>
> - Eric
>
You are correct, it would not be feasible for a general purpose distro,
but for embedded systems and other cases where there is a more tightly
locked-down system.
Regards,
Jaskaran.
More information about the Linux-security-module-archive
mailing list