Suppress module signatures in staging drivers
Tim Gardner
tim.gardner at canonical.com
Mon Feb 13 15:54:02 UTC 2017
Tyler - I had a chat with Kees Cook at Plumbers last fall about some of
the UEFI hardening patches Ubuntu carries. Something that occurred to me
afterwards is that nobody is looking at staging drivers for
vulnerabilities similar to those that are being protected against when
in secure boot mode. I've written a patch that requires known good
staging drivers to be on an inclusion list at build time in order to be
signed. This prevents loading unreviewed staging drivers while in UEFI
secure boot mode.
https://lists.ubuntu.com/archives/kernel-team/2016-November/081205.html
We've been batting this patch set around for a couple of months and
can't seem to come to a consensus on it. What do you think about it from
a security perspective ? Is this worthy of backporting to Xenial ?
rtg
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list