Re: Fw: signed kernel modules?

• Previous message: Albert Cahalan: "Re: [patch] exec-shield-nx-2.6.9-A1"
• In reply to: Tonnerre: "Re: Fw: signed kernel modules?"
• Next in thread: Geert Uytterhoeven: "Re: Fw: signed kernel modules?"
• Reply: Geert Uytterhoeven: "Re: Fw: signed kernel modules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date:	Sun, 17 Oct 2004 22:18:32 +0200
To: Tonnerre <tonnerre@thundrix.ch>

On Fri, Oct 15, 2004 at 10:11:47PM +0200, Tonnerre wrote:
>
> What trusted computing revealed is that there is at least amongst some
> companies a desire to be able to dictate what's going on on your
> computer. Think Disney here.

> Tonnerre
>
> PS. I did a module signing patch some years ago. I did a framework. I
> did tests. I got scared of its power. All I say is, take care.

Think about companies deploing binary only drivers for their hardware.
I guess they'd be happy to have a 'feature' like this in the kernel.
We might end up with hardware companies deploying binary only signed
modules for the major distributions (with which they have deals).
We might end up with weird patches from those companies to get their key
into the kernel source in order to be able to load their signed module.

Once a module itself requires this feature in the kernel you don't have
the choice of saying 'No' to this option of compile time and you can't
simply revert this patch anymore as others have suggested.

This patch would give power to those who make binary distributions and
(binary only) modules not to the admin who runs the system.
Only allowing modules to be loaded from a secured area (read only
device, signed 'container' of modules...) and leaving it to the
admin which modules he puts into this area would address all the reasons
for this patch without taking power away from the owner of the system.

  Tom
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

• Previous message: Albert Cahalan: "Re: [patch] exec-shield-nx-2.6.9-A1"
• In reply to: Tonnerre: "Re: Fw: signed kernel modules?"
• Next in thread: Geert Uytterhoeven: "Re: Fw: signed kernel modules?"
• Reply: Geert Uytterhoeven: "Re: Fw: signed kernel modules?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Granting some root permissions to certain users ... We use a kernel patch called trustees to do just what you're talking ... Unfortunately the patch hasn't really been kept up-to-date. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: RT-V0.7.47-17 build fails ... On Monday 06 June 2005 03:41, Ingo Molnar wrote: ... >> I thought maybe I'd exersize this kernel, but a patch I thought ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) RE: [PATCH] 2.6 workaround for Athlon/Opteron prefetch errata ... to avoid so we can get this in to the 2.6 kernel ASAP. ... I am pretty certain the patch won't impact the ... > might want to kill the condition depending on the stepping, ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: 2.6.3-rc1-mm1 ... > This is the first time that anyone told me that it even existed. ... When we're at kernel version 2.6.3! ... without this patch. ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel) Re: Question re the dot releases such as 2.6.12.3 ... I'll submit a patch to the ... > kernel from the home page. ... Copyright 2005 by Maurice Eugene Heskett, ... send the line "unsubscribe linux-kernel" in ... (Linux-Kernel)