I like the package signing idea. That would be cool. That way, you could still load and unload modules. I like being able to do that. One obvious problem with the scheme is that an attacker could potentially read the keys from /boot/vmlinuz-2.4.5, or whatever, and sign their own module. This can be overcome if we give up the ability to compile more modules for that kernel after we finish compiling it: - Generate a key pair during kernel compilation (RSA would be a good alg. for this). - Sign the modules with one half of the key pair. - store the other half of the key pair in the kernel image. - _delete_ all traces of the key used to sign the modules.
All that's needed to make this workable is to find a way to provide access to IO/device memory space for X11 without allowing read/write access to kernel memory. This can't really be all that hard. I think the kernel can tell when the memory address written to or mapped in /dev/mem is part of kernel memory by checking where the kernel is in memory. A very restrictive raw mem device that only allowed processes to map PCI memory space, or maybe just PCI memory space that PCI devices reported in their configuration info, would do the job for X11. (BTW, AGP acts like another PCI bus). Limiting things to only PCI-reported memory spaces would stop access from user space to ISA memory, but who would want to do that anyway... I like this idea. It would kick ass, so we should do it. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE