enable CONFIG_INTEL_TXT
Stephen Smalley
sds at tycho.nsa.gov
Thu Apr 1 13:38:02 UTC 2010
On Thu, 2010-04-01 at 15:02 +1100, James Morris wrote:
> On Wed, 31 Mar 2010, Eric Paris wrote:
>
> > Simple answer is 'because Intel says so.' I'm sorry but I don't think
> > I'm allowed to divulge any reasons Intel may or may not have shared with
> > Red Hat.
>
> It seems odd to me that the full design and operation of a security
> mechanism is not being made available, and that the reasons for this
> are also not able to be divulged.
>
> Note that an SINIT AC module was recently reverse engineered, found to be
> buggy, and then used break TXT:
>
> http://theinvisiblethings.blogspot.com/2009/12/another-txt-attack.html
>
> I really hope the secrecy of the AC module is not part of its security
> design.
>
> In any case, I don't see any technical reason not to enable the option.
As far as I know the security of TXT in no way relies upon keeping the
SINIT module closed source.
--
Stephen Smalley
National Security Agency
More information about the kernel
mailing list