...kernel module signing on x86??? Why?
Joshua C.
joshuacov at googlemail.com
Fri Mar 9 10:58:43 UTC 2012
2012/3/9 Alan Cox <alan at lxorguk.ukuu.org.uk>:
>
> So you can stop a third party tampering with the modules on your system,
> while keeping the ability to do so yourself. It's all about who owns the
> keys. If you own the keys it becomes a useful security feature to some
> users.
>
> Alan
Put in other words: You cannot do anything with the distro-realeased
modules because they should be signed. If the distro key is "publicly"
available then any third party can use it and sign his modules.
So I have to recompile the whole kernel (all modules inclusive) and
resign them with my own key so that only I can temper with them. In
both cases I need to recomplie the kernel once again... just for
nothing.
Honestly I think this is an extra burden for the developers/people
who modifiy often their kernels.
--joshua
More information about the users
mailing list