Re: Should we automatically generate a module signing key at all?

From: David Howells
Date: Tue May 19 2015 - 14:57:25 EST

Next message: Don Brace: "RE: [PATCH 2/2] cciss: correct the non-resettable board list"
Previous message: Don Brace: "RE: [PATCH 2/2] cciss: correct the non-resettable board list"
In reply to: David Howells: "Re: Should we automatically generate a module signing key at all?"
Next in thread: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:

> Both Fedora and RHEL seems to be moving toward having fully-supported
> configurations with immutable root images. Building those images
> reproducibly would be fantastic. (Of course, if Fedora or RHEL wants
> to allow support out-of-tree drivers, that's a different story.)

Irrelevant. initramfs is *not* immutable. It has different modules in it
depending on what hardware you have. Further, you *still* need the module and
firmware hash lists in either the kernel or the initramfs to be loaded into
kernel memory before you load the first module because you have to check the
hash on it.

Or are you suggesting a tree of hashed nodes that have leaves that are the
hashes of the modules so you can save a subtree?

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Don Brace: "RE: [PATCH 2/2] cciss: correct the non-resettable board list"
Previous message: Don Brace: "RE: [PATCH 2/2] cciss: correct the non-resettable board list"
In reply to: David Howells: "Re: Should we automatically generate a module signing key at all?"
Next in thread: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]