<html><head></head><body><div>Not to pour gasoline on the anti-systemd crowd, but what the f&*k is the reason for mounting the TM module read-WRITE?!?!? Yes. So they can be updated by the Linux user, but since that's a security thing on par with selinux in MLS mode, it should default to "you can't do this without much effort" instead of "sure, make an easy mess of things".</div><div><br></div><div>On Thu, 2016-02-04 at 17:10 -0500, Boris Borisov wrote:</div><blockquote type="cite"><p dir="ltr">We went away from topic anyway. Why not one more :)</p>
<p dir="ltr"><a href="http://fossbytes.com/running-this-little-command-in-linux-can-kill-some-laptops-permanently/">http://fossbytes.com/running-this-little-command-in-linux-can-kill-some-laptops-permanently/</a></p>
<div class="gmail_quote">On Feb 1, 2016 11:05 AM, "Phil Turmel" <<a href="mailto:philip@turmel.org">philip@turmel.org</a>> wrote:<br type="attribution"><blockquote type="cite">On 02/01/2016 10:33 AM, Steve Litt wrote:<br>
> On Mon, 01 Feb 2016 06:25:42 +0300<br>
> <a href="mailto:damon@damtek.com">damon@damtek.com</a> wrote:<br>
<br>
>> Well, actually, its to protect against a blue pill exploits where a<br>
>> hypervisor "lifts" the OS off of the hardware and at that time the OS<br>
>> does not know it is virtualized and the exploiter has complete,<br>
>> uncontested control and access to the OS. In theory it is OS agnostic<br>
>> and has been proofed in the lab. I don't know of any wild exploits.<br>
><br>
> Like so many other things, this is a tradeoff. Yes, secure boot<br>
> protects from an exploit below the level of the OS, and might be the<br>
> only practical way to do so. On the other hand, it restricts you to<br>
> software possessing a key that costs money. Worse, a key signed by<br>
> Microsoft.<br>
><br>
> No problem: The purchaser gets to leave it on or turn it off. Oops, not<br>
> any more. Hardware manufacturers can choose to remove the on/off<br>
> switch, and worse yet, that on/off switch *never* appears on their<br>
> specification sheets, so you guess and return. Or more likely, many<br>
> people are assimilated into the Redhat SuSE Debian Ubuntu conglomerate.<br>
<br>
But if you *do* have a mobo with configurable secure boot, you can<br>
replace the certificates with your own, then sign your own kernels.<br>
Then *nothing* will run before your OS on that box.<br>
<br>
<a href="http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/" rel="noreferrer" target="_blank">http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-kernel/</a><br>
<br>
Phil<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>
<pre>_______________________________________________
Ale mailing list
<a href="mailto:Ale@ale.org">Ale@ale.org</a>
<a href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre></blockquote><div class="-x-evo-signature-wrapper"><span><pre>--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
</pre></span></div></body></html>