[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Libreboot] CONFIG_IO_STRICT_DEVMEM and supposed flash protection.

From: Denis 'GNUtoo' Carikli
Subject: [Libreboot] CONFIG_IO_STRICT_DEVMEM and supposed flash protection.
Date: Sun, 8 May 2016 20:17:32 +0200


On the #libreboot IRC channel on freenode, several people seemed to
think that a recent Linux with CONFIG_IO_STRICT_DEVMEM=y would be
sufficient to constitute a protection against reflashing.

I guess the assumption was that once booted, you couldn't reflash
without rebooting the machine.

While it might be useful to implement such scheme, it's not sufficient
by itself:
- GNU/Linux distributions usually allow root to load kernel modules.
  That can probably used to access the flash.
- kexec can be used to modify a kernel that is actually running, as
  demonstrated here:
  You don't even need to "kexec" another kernel. This is usually
  enabled on many GNU/Linux distribution.

Theses are two common issues that came to my mind, however they might
not be the only ones that exist.

Many other issues could be found by looking at kernels such as the
-grsec ones in parabola, since they close many of such holes.
I however wonder if they have anything special to handle the modprobe

Note that I don't advocate nor refrain from using such schemes, it's up
to the user and the distribution to chose what is best adapted.


Attachment: pgppJjMzRKx5p.pgp
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]