Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S268104AbUJOP6c (ORCPT ); Fri, 15 Oct 2004 11:58:32 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S268092AbUJOP6c (ORCPT ); Fri, 15 Oct 2004 11:58:32 -0400 Received: from out008pub.verizon.net ([206.46.170.108]:4266 "EHLO out008.verizon.net") by vger.kernel.org with ESMTP id S268097AbUJOPyl (ORCPT ); Fri, 15 Oct 2004 11:54:41 -0400 From: Gene Heskett Reply-To: gene.heskett@verizon.net Organization: Organization: None, detectable by casual observers To: linux-kernel@vger.kernel.org Subject: Re: Fw: signed kernel modules? Date: Fri, 15 Oct 2004 11:54:39 -0400 User-Agent: KMail/1.7 Cc: David Woodhouse , Roman Zippel , David Howells , "Rusty Russell (IBM)" , Greg KH , Arjan van de Ven , Joy Latten References: <27277.1097702318@redhat.com> <1097848897.13633.134.camel@hades.cambridge.redhat.com> In-Reply-To: <1097848897.13633.134.camel@hades.cambridge.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200410151154.39510.gene.heskett@verizon.net> X-Authentication-Info: Submitted using SMTP AUTH at out008.verizon.net from [151.205.58.180] at Fri, 15 Oct 2004 10:54:39 -0500 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1378 Lines: 32 On Friday 15 October 2004 10:01, David Woodhouse wrote: >On Fri, 2004-10-15 at 13:12 +0200, Roman Zippel wrote: >> > I've uploaded an updated module signing patch with Rusty's >> > suggested additions: >> >> Can someone please put this patch into some context, where it's >> not completely pointless? As is it does not make anything more >> secure. Why is the kernel more trustable than a kernel module? > >Because it's not that hard to put the kernel onto read-only media or > in a flash chip to which you physically cut the Vpen line. > >One solution is just to disallow modules altogether -- but that > isn't really ideal in a number of cases. Allowing only certain > _known_ modules is a more functional solution. The point being that who decides what is a known module? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.27% setiathome rank, not too shabby for a WV hillbilly Yahoo.com attorneys please note, additions to this message by Gene Heskett are: Copyright 2004 by Maurice Eugene Heskett, all rights reserved. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/