On Tue, 2012-07-17 at 11:33 -0400, Konrad Rzeszutek Wilk wrote:
The only thing that comes to my mind is PCI passthrough, as it probably could be thought at something allowing physical memory accesses... Or is the control Xen/qemu provides over it sufficient? (Again, I think the same could apply to KVM, right?).
Right, and also kexec for example. There is code loaded from userspace binary into the kernel to deal with a crashed kernel. Its called purgatory code.
I see.
What I am not clear is how far the "chain of trust" needs to go - b/c this also would imply module signing - which is right now _not_ in the upstream kernel.
It sure does, and in fact, module signing figures in the (still drafted) Fedora's plan: http://mjg59.dreamwidth.org/12368.html ("Signed modules are obviously troubling from a user perspective. We'll be signing all the drivers that we ship [...]").
The X server is also mentioned there, so I guess qemu (it open /dev/mem as root after all, doesn't it?) could be a candidate either? :-O
Thanks and Regards, Dario