On Fri, 2012-09-21 at 12:22 +1000, James Morris wrote: > On Thu, 20 Sep 2012, Kees Cook wrote: > > > Earlier proposals for appending signatures to kernel modules would not be > > useful in Chrome OS, since it would involve adding an additional set of > > keys to our kernel and builds for no good reason: we already trust the > > contents of our root filesystem. We don't need to verify those kernel > > modules a second time. Having to do signature checking on module loading > > would slow us down and be redundant. All we need to know is where a > > module is coming from so we can say yes/no to loading it. > > Just out of interest, has anyone else expressed interest in using this > feature?
I'm not so interested in this particular use case, but am interested in using the new syscall's file descriptor for measuring/appraising a kernel module's integrity. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
