Announcement

Collapse
No announcement yet.

Microsoft Contributes Integrity Improvements To Linux 5.12

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Microsoft Contributes Integrity Improvements To Linux 5.12

    Phoronix: Microsoft Contributes Integrity Improvements To Linux 5.12

    Microsoft engineers continue increasing their contributions to the Linux kernel where it makes business sense for them, such as in the case of securing the Azure cloud given that around 50% or more of the instances run Linux. With Linux 5.12 there are integrity subsystem improvements coming from Microsoft...

    http://www.phoronix.com/scan.php?pag...ity-Linux-5.12

  • #2
    Do not understand where it should be applied; and how can you update a kernel if it is prevented to be booted?

    Comment


    • #3
      Originally posted by Danielsan View Post
      Do not understand where it should be applied; and how can you update a kernel if it is prevented to be booted?
      You can't -- but updating these particular kernels is not your job. From the linked article: "- Around 50% of the VMs on Azure are Linux-based..." Those VM's hypervisor would likely but not necessarily be MS' Hyper-V. Either way, I think the idea here is that a containerized application running on the VM should be able to refuse to load if it detects an incompatible underlying OS kernel on the VM. This Integrity thingy is designed to make that detection secure, e.g. the obvious "just query /etc/os-release" can easily be spoofed.
      Last edited by pipe13; 22 February 2021, 10:35 AM.

      Comment


      • #4
        Originally posted by Danielsan View Post
        Do not understand where it should be applied; and how can you update a kernel if it is prevented to be booted?
        From what I can tell, in the bootloader and initramfs. They load up the existing/old kernel just enough to see if the new kernel is actually new by doing version checks.

        Funnily, if a hacker can install a new kernel then they could likely update the version check table too or configure the new kernel to report as cool. Once they have the level of access to install a custom kernel then probably anything is possible.

        Comment


        • #5
          As a team at Microsoft also looked on improving performance of the Linux Kernel with GCC LTO, I hope they will continue to work on that and upstream the fruits of it, too.

          Comment


          • #6
            Originally posted by skeevy420 View Post

            Funnily, if a hacker can install a new kernel then they could likely update the version check table too or configure the new kernel to report as cool. Once they have the level of access to install a custom kernel then probably anything is possible.
            That shouldn't be the case. IMA is based on signatures. The custom kernel would lack the signature and fail attestation.

            Comment


            • #7
              Well it is sounds like the cloud version of "secure boot", I wouldn't surprise if at a certain point you will forced to use or buy only M$ certified Linux kernels...

              Comment


              • #8
                i just hope they wont screw kernel just to fit their own demands

                Comment


                • #9
                  Originally posted by loganj View Post
                  i just hope they wont screw kernel just to fit their own demands
                  It's not their kernel, so screw them.

                  Comment


                  • #10
                    Uh-oh, more Microsoft contributions? I foresee a lot of people making the switch to BSD or Haiku now

                    Comment

                    Working...
                    X