danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Secure Boot versus Ksplice.
danwalsh
I have been attending many talks on Secure Boot.  The basic idea behind secure boot is to ensure that the bios/bootloader and kernel have not been hacked.  My understanding of how this is done is everything is signed and verified during the bootup.  Nothing can run in the kernel that was not signed and verified.  

Then we Oracle pushing Ksplice.

I can't help but ask the question?

Is ksplice a security disaster waiting to happen?

Ksplice worries me because it's making edits to actively running kernel code at a very low level. On top of that, if the server administrator forgets to actually update the kernel using the distribution's package manager, the old insecure kernel will boot up the next time the server reboots.

When it comes right down to it, if your environment can't withstand a reboot for security updates occasionally, you're doing it wrong. ;)

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh