On Fri, Aug 23, 2002 at 03:00:15PM -0400, Gary Thorpe wrote:
> --- Bill Squier <groo@old-ones.com> wrote:
> > On Fri, Aug 23, 2002 at 02:38:32PM -0400, Gary
> > Thorpe wrote:
> > > However, since root can acess kernel memory via
> > > /dev/kmem, how can lkms be much less secure?
> > Anyone
> > > who has access to root and can load lkms can do
> > > equally nasty things even without lkm.
> > 
> > man init
> > /securelevel

You seem to be a little confused.  You asked (with respect to firmware loading)
why one would worry about using a full blown LKM implementation to do it, in
light of the 'fact' that 'since root can acesss [sic] kernel memory [...]'
you have no protection anyway.

I simply dispelled that misapprehension.

> Then maybe securelevel should also restrict lkm usage?

This is unnecessary, since a kernel option (man 4 options) already does this.
I agree, of course, that allowing LKMs to load in an environment in which 
securelevel > 0 would be a strange administrative choice.

> The argument just doesn't make any
> sense: anyone who is that concerned about secuirty to
> leave out lkms won't be affected by them, regardless
> of what lkms are written etc.

I don't know to which 'argument' you are referring.  We are discussing using
LKMs to load firmware vs. using some other more secure method.

Above, in your quoted text, you ask 'how can lkms be much less secure?', and
I'm attempting to show you.

> However, since the kernel itself can be circumvented
> at boot time by using single mode or boot media
> besides the normal one, the securelevel still cannot
> help you. 

This of course depends on your threat model.  Physical access threats can be
eliminated if that's a concern for you, at which point, your 'single mode' [sic]
and 'boot media' concerns vanish.

-- 
Bill Squier (groo@old-ones.com)                          http://www.netbsd.org

        I know I don't deserve another chance, but this _is_ America,
        and as an American, aren't I entitled to one?  --Sideshow Bob.