tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kernel module loading vs securelevel



On Sat, Oct 16, 2010 at 08:40:21PM +0900, Masao Uebayashi wrote:
> 
> We trust modules at the time when they're installed into the trusted
> place, same as kernel itself.  I think prohibiting module load  at
> run-time is rather pointless.

"The trusted place"?  What's that?  Except in the single special case of
autoload, "the trusted place" could be anywhere on the filesystem, or on
any remote filesystem for that matter.

If you want to enforce the rule "any trusted module can be loaded but only
trusted modules can be loaded", while preserving the securelevel framework,
the obvious options are:

        1) Load module hashes into the kernel at compile or boot time,
           like veriexec does,

        2) Finish the asymmetric operation support in cryptodev and
           actually require modules to be signed.  This is basically a
           superset of #1 above that could get about as complicated as
           one wanted it to (ugh) but might be worthwhile if kept simple.

Thor


Home | Main Index | Thread Index | Old Index