Re: [RFC][PATCH v1 0/2] integrity: module integrity verification

[Rusty Russell]

On Wed, 8 Feb 2012 16:02:28 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@xxxxxxxxx> wrote:
> On Wed, Feb 8, 2012 at 3:45 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> > On Wed, 2012-02-08 at 10:09 +1030, Rusty Russell wrote:
> >> The problem is that distributions tend to have two variants of modules:
> >> stripped and unstripped. ÂThus you may want to support multiple
> >> signatures, any *one* of which may match.
> >>
> >> I've cc'd the module-init-tools and libkmod maintainers for their
> >> comments, too.
> > Hi Rusty,
> >
> > As a distro knows what it is shipping, why would you need support for
> > both stripped/unstripped versions. ÂUnless "stripping" occurs post
> > install. ÂPerhaps something similar to 'prelink'?
> 
> How are they distributed? In separate packages?
> And striped during package creation?
> Then during package building, before archiving, signing tool is simply
> invoked for each binary package,
> so "same" modules from different packages will get own signature.
> 
> Or it goes some other way?

I don't know.  Perhaps it isn't an issue; David Howells and Jon Masters
might have comments.

Cheers,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/