Re: [PATCH 0/6] MODSIGN: Kernel module signing

[Adrian Bunk]

On Wed, Feb 14, 2007 at 07:09:38PM +0000, David Howells wrote:
>...
> There are several reasons why these patches are useful, amongst which are:
>...
>  (4) to allow other support providers to do likewise, or at least to _detect_
>      the fact that unsupported modules are loaded;
> 
>  (5) to allow the detection of modules replaced by a second-order distro or a
>      preloaded Linux purveyor.
>...

Who might have rebuilt the whole kernel using a new signature.

Or a bug reporter might have edited out the parts containing the 
information that unsupported code was loaded.

Or the unsupported module itself might have removed all traces of having 
been loaded from the kernel.

For printing nvidia(U), you could simply add some marker similar to 
MODULE_LICENSE() that gets added to supported modules during "official" 
builds and gets checked when loading a module.

That's 10k LOC less and the same level of security...

> David

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/