* Philipp Kern <tr...@philkern.de> [111227 04:04]: > > As you pointed out so nicely: modules_disabled is only a replacement if > > you have a custom initramfs and do not allow that to be modified > > automatically. So from the point of the original discussion, > > modules_disabled is no solution. > > You just stuff a file into /etc/initramfs-tools/local-bottom and regenerate > the > initramfs. I think that's much less effort than recompiling the kernel with > the right bits built-in.
Building a custom kernel is almost no efford at all. Building a minimal one is a bit more efford. But that part is exactly the same as needed for creating a local-bottom: You have to know which modules you need to load before disabling modules. And what use is a /etc/initramfs-tools handling if you cannot create the initramfs on the system or you would defeat the security? You could argue as well that people wanting a kernel without initramsfs have no problem with /usr to be mounted early, they just have to write some parts into the correct part of /etc/rcS to have /usr mounted before anything else is done. > I'll grant the "boot the kernel from the outside" bit, but then I could just > kexec into my new kernel, if the admin wasn't careful enough. Kexec will of course not work. Otherwise there was something done horribly wrong (like forgetting to patch out {k,}mem). -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111227074445.gb2...@server.brlink.eu