Jim Wise <jw250@columbia.edu> writes:

> When you load a module, using ml, you can use `ml ld ...' to load a
> module, which is the same as modload under NetBSD, or you can use
> `ml reg ...' to `register' a module.  A registered module is duly noted by
> the kernel, but is not loaded until it is used.  This makes it possible,
> for example, to have a kernel which can use any supported device, but
> which is hardly larger than a kernel stripped to just those devices which
> are present.

I was going to suggest the following for this sort of thing:

(1) a command, run at securelevel 0, which does an md5 hash and remembers
    the size and name of an LKM, and gives this to the kernel.
(2) a userland daemon.  If you want dynamic loading, you run this.
(3) a command to load a module which was previously identified in the
    kernel.

This would more or less remove security holes from the LKM loading after
securelevel 0 is gone part I believe.

--Michael