Re: Fw: signed kernel modules?

From: Rusty Russell (IBM)
Date: Thu Oct 14 2004 - 19:32:53 EST

Next message: Adam Heath: "Re: [patch] Real-Time Preemption, -VP-2.6.9-rc4-mm1-U2"
Previous message: Antonino A. Daplas: "Re: [Linux-fbdev-devel] Generic VESA framebuffer driver and Video card BOOT?"
In reply to: David Howells: "Re: Fw: signed kernel modules?"
Next in thread: David Howells: "Re: Fw: signed kernel modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-10-14 at 20:17, David Howells wrote:
> > I'd appreciate your opinion on the issue at hand. Is it worth 600 lines
> > of ELF verification and canonicalization code so we can strip modules
> > without altering the signature?
>
> You have to some of the ELF verification anyway, otherwise your suggested way
> is just as pointless. You had included somde code in your example, but what
> that did wasn't sufficient either - it can trivially be broken.

The current approach is working just fine. I'm not the one trying to
prevent root from inserting malicious modules. You are, so you need to
do the checks.

Rusty.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adam Heath: "Re: [patch] Real-Time Preemption, -VP-2.6.9-rc4-mm1-U2"
Previous message: Antonino A. Daplas: "Re: [Linux-fbdev-devel] Generic VESA framebuffer driver and Video card BOOT?"
In reply to: David Howells: "Re: Fw: signed kernel modules?"
Next in thread: David Howells: "Re: Fw: signed kernel modules?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]