Re: Fw: signed kernel modules?

From: David Howells
Date: Thu Oct 14 2004 - 07:17:00 EST



> I'm trying to understand the reason to stuff this into kernel. Why can't
> this check be done before loading the module into the kernel? If you don't
> trust insmod, how can you trust the build system?

(1) insmod isn't the only way to load a module.

(2) This helps limit what an intruder can do; particularly if you combine it
with other measures.

(3) Who says the kernel RPM is built on the same machine as the one you
really want to deploy this on for the added protection?

David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/