On Thu, Sep 20, 2012 at 7:22 PM, James Morris <jmor...@namei.org> wrote: > On Thu, 20 Sep 2012, Kees Cook wrote: > >> Earlier proposals for appending signatures to kernel modules would not be >> useful in Chrome OS, since it would involve adding an additional set of >> keys to our kernel and builds for no good reason: we already trust the >> contents of our root filesystem. We don't need to verify those kernel >> modules a second time. Having to do signature checking on module loading >> would slow us down and be redundant. All we need to know is where a >> module is coming from so we can say yes/no to loading it. > > Just out of interest, has anyone else expressed interest in using this > feature?
Yes, in the earlier threads, Mimi spoke up in favor of it as a possible path for IMA to do signature checking. She sent patches that updated the LSM hooks to include callback to IMA that were sent to the lsm list: http://marc.info/?l=linux-security-module&m=134739023306344&w=2 Serge and Eric both Acked the new hooks too. -Kees -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
