On Sat, Oct 16, 2010 at 08:40:21PM +0900, Masao Uebayashi wrote:
>
> We trust modules at the time when they're installed into the trusted
> place, same as kernel itself. I think prohibiting module load at
> run-time is rather pointless.
"The trusted place"? What's that? Except in the single special case of
autoload, "the trusted place" could be anywhere on the filesystem, or on
any remote filesystem for that matter.
If you want to enforce the rule "any trusted module can be loaded but only
trusted modules can be loaded", while preserving the securelevel framework,
the obvious options are:
1) Load module hashes into the kernel at compile or boot time,
like veriexec does,
2) Finish the asymmetric operation support in cryptodev and
actually require modules to be signed. This is basically a
superset of #1 above that could get about as complicated as
one wanted it to (ugh) but might be worthwhile if kept simple.
Thor
