diff options
author | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2018-08-15 08:45:05 +0000 |
---|---|---|
committer | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2018-08-15 08:45:05 +0000 |
commit | 5469cc0ee9a3cbfc05b902139c4e3d3ca9c55a50 (patch) | |
tree | 3815b2b35807f17ece5e199216c584700ca5a92d /stand/man | |
parent | 527d337fdb6af876060be4e5f1796b7d4424f812 (diff) | |
download | src-test-5469cc0ee9a3cbfc05b902139c4e3d3ca9c55a50.tar.gz src-test-5469cc0ee9a3cbfc05b902139c4e3d3ca9c55a50.zip |
Add SECURITY section to loader(8).
Reviewed by: bcr, jilles, imp (earlier version)
MFC after: 2 weeks
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16700
Notes
Notes:
svn path=/head/; revision=337834
Diffstat (limited to 'stand/man')
-rw-r--r-- | stand/man/loader.8 | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/stand/man/loader.8 b/stand/man/loader.8 index 374b6ee0d9d67..4356f58a4f584 100644 --- a/stand/man/loader.8 +++ b/stand/man/loader.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 14, 2018 +.Dd August 15, 2018 .Dt LOADER 8 .Os .Sh NAME @@ -945,6 +945,42 @@ version at compile time. .Nm version. .El +.Sh SECURITY +Access to the +.Nm +command line provides several ways of compromising system security, +including, but not limited to: +.Pp +.Bl -bullet -compact +.It +Booting from removable storage, by setting the +.Va currdev +or +.Va loaddev +variables +.It +Executing binary of choice, by setting the +.Va init_path +or +.Va init_script +variables +.It +Overriding ACPI DSDT to inject arbitrary code into the ACPI subsystem +.El +.Pp +One can prevent unauthorized access +to the +.Nm +command line by setting the +.Va password , +or setting +.Va autoboot_delay +to -1. +See +.Xr loader.conf 5 +for details. +In order for this to be effective, one should also configure the firmware +(BIOS or UEFI) to prevent booting from unauthorized devices. .Sh FILES .Bl -tag -width /usr/share/examples/bootforth/ -compact .It Pa /boot/loader |