Linux Security Summit 2014/Abstracts/Cook 2

From Linux Kernel Security Subsystem
Jump to navigation Jump to search

Title

Trusted Kernel Lock-down Patch Series (discussion)

Presenter

Kees Cook, Google

Abstract

There is a need to lock down access to raw kernel memory and devices when running under certain conditions. UEFI Secure Boot, or Chrome OS Verified Boot, among other situations, wants to be sure that userspace (even privileged users) cannot change the running kernel.

A patch series that implements this was written (and rewritten) by Matthew Garrett, but it has been bike-shed to death. We will discuss ways for this series to move forward, and document the prior objections and rebuttals so that future discussion can avoid resolved issues without distracting from progress.