Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261353AbVEXSsX (ORCPT ); Tue, 24 May 2005 14:48:23 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261375AbVEXSsW (ORCPT ); Tue, 24 May 2005 14:48:22 -0400 Received: from gprs189-60.eurotel.cz ([160.218.189.60]:14489 "EHLO amd.ucw.cz") by vger.kernel.org with ESMTP id S261353AbVEXSsT (ORCPT ); Tue, 24 May 2005 14:48:19 -0400 Date: Tue, 24 May 2005 20:47:52 +0200 From: Pavel Machek To: Reiner Sailer Cc: Emilyr@us.ibm.com, James Morris , Kylene@us.ibm.com, linux-kernel@vger.kernel.org, linux-security-module@wirex.com, Toml@us.ibm.com, Valdis.Kletnieks@vt.edu Subject: Re: [PATCH 2 of 4] ima: related Makefile compile order change and Readme Message-ID: <20050524184752.GB2268@elf.ucw.cz> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Warning: Reading this can be dangerous to your mental health. User-Agent: Mutt/1.5.9i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1119 Lines: 26 Hi! > > * remove all the buffer overflows. I.e. if grub contains buffer > > overflow in parsing menu.conf... that is not a security hole > > (as of now) because only administrator can modify menu.conf. > > With IMA enabled, it would make your certification useless... > > Taking your example: Even if you run a buffer-overflow grub, IMA will > enable remote parties to differentiate between systems that run > the vulnerable grub and systems that don't. IMA in this case actually > can put value to running better software. Yes, but see above: that buffer overflow in grub was *not* a vulnerability... not until you introduce IMA. That is my biggest concern. You are completely changing rules for userland code. Buffer overflow that only root could exploit used to be okay. It used to be okay to read config files without communicating with TPM. Pavel - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/