On Mon, Aug 01, 2016 at 12:31:01PM +0930, LYMN wrote: > On Thu, Jul 28, 2016 at 08:42:49PM +0200, Joerg Sonnenberger wrote: > > > > The difference is that correctly configured veriexec is a system-wide > > property. It doesn't matter if you can exec something, you don't get to > > execute binaries that weren't signed. > > > > Technically, veriexec only runs files that have a valid fingerprint. > We don't, currently, have signing but that would be useful and probably > could be done now. One thing that does seem to get overlooked a lot is
That would require an RSA implementation in the kernel, plus some PKCS bits. I have code around here somewhere... Thor
