On 2020-03-31, Holger Levsen wrote: > looping the u-boot maintainer in... what's your opinion on this, Vagrant? > > On Tue, Mar 31, 2020 at 10:46:58PM +0200, Ola Lundqvist wrote: >> I would like to have some advice about the u-boot triaging. >> The problem is that someone can load an alternative configuration file >> and by that boot arbitrary code. >> I assume this means that the attacker must have physical access to the device. >> >> As I see it, this can be used to root devices that should not be >> possible to root. >> >> My question is whether you think this is worth fixing in Debian. >> >> I lean towards that we should consider this as a minor issue for >> Jessie but here I would like your opinion. >> >> Thank you in advance >> >> // Ola > > (I'd agree this is not worth fixing in jessie if this needs physical access.) I haven't looked deeply into it, but from what I recall, I'm not sure any of the platforms built in Debian make use of the verified boot features. live well, vagrant
Attachment:
signature.asc
Description: PGP signature