[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Libreboot] CONFIG_IO_STRICT_DEVMEM and supposed flash protection.
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
[Libreboot] CONFIG_IO_STRICT_DEVMEM and supposed flash protection. |
|
Date: |
Sun, 8 May 2016 20:17:32 +0200 |
Hi,
On the #libreboot IRC channel on freenode, several people seemed to
think that a recent Linux with CONFIG_IO_STRICT_DEVMEM=y would be
sufficient to constitute a protection against reflashing.
I guess the assumption was that once booted, you couldn't reflash
without rebooting the machine.
While it might be useful to implement such scheme, it's not sufficient
by itself:
- GNU/Linux distributions usually allow root to load kernel modules.
That can probably used to access the flash.
- kexec can be used to modify a kernel that is actually running, as
demonstrated here: https://mjg59.dreamwidth.org/28746.html
You don't even need to "kexec" another kernel. This is usually
enabled on many GNU/Linux distribution.
Theses are two common issues that came to my mind, however they might
not be the only ones that exist.
Many other issues could be found by looking at kernels such as the
-grsec ones in parabola, since they close many of such holes.
I however wonder if they have anything special to handle the modprobe
issue.
Note that I don't advocate nor refrain from using such schemes, it's up
to the user and the distribution to chose what is best adapted.
Denis.
pgppJjMzRKx5p.pgp
Description: OpenPGP digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Libreboot] CONFIG_IO_STRICT_DEVMEM and supposed flash protection.,
Denis 'GNUtoo' Carikli <=