danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Secure Boot versus Ksplice.
danwalsh
I have been attending many talks on Secure Boot.  The basic idea behind secure boot is to ensure that the bios/bootloader and kernel have not been hacked.  My understanding of how this is done is everything is signed and verified during the bootup.  Nothing can run in the kernel that was not signed and verified.  

Then we Oracle pushing Ksplice.

I can't help but ask the question?

Is ksplice a security disaster waiting to happen?

Re: Doesn't seem to be at odds...

flihp

2012-03-20 09:48 pm (UTC)

Ideally ksplice would hook into something like the IMA framework to measure whatever patches they're applying to your kernel. You could then get these measurements from a log like they do for loaded modules. Then you'd be reasoning over measurements from your kernel and the modifications made to it at run time.

Not simple by any stretch but it would be pretty complete.

You are viewing danwalsh