Re: Fw: signed kernel modules?

From: David Woodhouse
Date: Fri Oct 15 2004 - 09:09:56 EST

Next message: Pierre Ossman: "Re: Tasklet usage?"
Previous message: Matthias Urlichs: "Re: 4level page tables for Linux II"
In reply to: Gene Heskett: "Re: Fw: signed kernel modules?"
Next in thread: Roman Zippel: "Re: Fw: signed kernel modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2004-10-15 at 13:12 +0200, Roman Zippel wrote:
> > I've uploaded an updated module signing patch with Rusty's suggested
> > additions:
>
> Can someone please put this patch into some context, where it's not
> completely pointless? As is it does not make anything more secure.
> Why is the kernel more trustable than a kernel module?

Because it's not that hard to put the kernel onto read-only media or in
a flash chip to which you physically cut the Vpen line.

One solution is just to disallow modules altogether -- but that isn't
really ideal in a number of cases. Allowing only certain _known_ modules
is a more functional solution.

--
dwmw2

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pierre Ossman: "Re: Tasklet usage?"
Previous message: Matthias Urlichs: "Re: 4level page tables for Linux II"
In reply to: Gene Heskett: "Re: Fw: signed kernel modules?"
Next in thread: Roman Zippel: "Re: Fw: signed kernel modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]