On Wed, Jun 14, 2017 at 06:34:38PM -0700, Vladimir 'phcoder' Serbinenko wrote:
> This bid at odds with the need to keep kernel small. Why not just put > verifiers as the first module to load? Presumably you need to verify the > whole core in either case. They're not useful as an external module, so they need to be built into the core image in any case (otherwise an attacker just replaces the verifier moduleā¦). And if you're making the ordering significant, it's far too easy for someone to mess up and end up with an insecure system as a result. -- Matthew Garrett | mj...@srcf.ucam.org _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
