Announcement

Collapse
No announcement yet.

Linux 4.7 To Gain New Security Feature Ported From Chrome OS

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Linux 4.7 To Gain New Security Feature Ported From Chrome OS

    Phoronix: Linux 4.7 To Gain New Security Feature Ported From Chrome OS

    James Morris has made known the security subsystem updates intended for the Linux 4.7 kernel and it includes one addition worth mentioning...

    Linux 4.7 To Gain New Security Feature Ported From Chrome OS - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.7-LoadPin-Restriction
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    Though even if the kernel is built with CONFIG_SECURITY_LOADPIN, it still can be defeated by setting loadpin.enabled=0 at boot-time.
    Not very interesting security feature if it can be defeated so easily.
    This little security risk should definitely get some developer attention.

    Comment

    • #3
      Originally posted by plonoma View Post
      Not very interesting security feature if it can be defeated so easily.
      This little security risk should definitely get some developer attention.
      Tbh if you can edit the kernel parameters, you can probably make the machine load your own kernel. If someone gets so far, consider game lost
      • Likes 3

      Comment

      • #4
        Originally posted by nanonyme View Post

        Tbh if you can edit the kernel parameters, you can probably make the machine load your own kernel. If someone gets so far, consider game lost
        Yes, however we have a special case here.
        The potential to remove that kernel parameter without negative effects on software functioning is potentially workable for this security functionality.
        Could have compilation not add that parameter by default for compiling the kernel!

        Comment

        • #5
          Nah its about as good as lkm signing but allows to just sign a whole partition instead of each module. not really any different. not sure its really better either.. just different.

          Comment

          Previous template Next
          Working...
          X