Linux Security Summit 2014/Abstracts/Cook 2

From Linux Kernel Security Subsystem
Jump to: navigation, search


Trusted Kernel Lock-down Patch Series (discussion)


Kees Cook, Google


There is a need to lock down access to raw kernel memory and devices when running under certain conditions. UEFI Secure Boot, or Chrome OS Verified Boot, among other situations, wants to be sure that userspace (even privileged users) cannot change the running kernel.

A patch series that implements this was written (and rewritten) by Matthew Garrett, but it has been bike-shed to death. We will discuss ways for this series to move forward, and document the prior objections and rebuttals so that future discussion can avoid resolved issues without distracting from progress.