Subject: Re: verified exec per page fingerprints
To: Eric Haszlakiewicz <erh@jodi.nimenees.com>
From: Elad Efrat <elad@NetBSD.org>
List: tech-kern
Date: 11/15/2005 19:00:08
Eric Haszlakiewicz wrote:

> 	I don't understand.  What do you mean by "table for the mount"?

If you'd read the veriexec code you'd see that veriexec has a list, with
an entry for each device it monitors. This entry contains a hash table
and other information.

Aside from being way too ugly doing it as you suggest, opposed to using
an existing facility to achieve the same goal, you ignore the fact that
someone, somewhere, may want to specify "untrusted" (which means "don't
cache evaluation result") not on an entire mount.

You and I may or may not understand him, but I don't understand people
who run 1.4/1.5/1.6, too. ;)

> i.e. the mount flag stays static with the mount point, but the veriexec
> code needs to make sure it checks the right mount structure.

I want the veriexec code to go "okay, this vnode we're verifying is on
a layered file-system, and is really on device N." I'm still looking at
how to do that in a nice way...

-e.

-- 
Elad Efrat