On Tue, Jul 19, 2005 at 02:02:17PM -0700, Matt Thomas wrote:
> 1) Limit this to ELF only.  This eliminates ns32k/pc532, but does
>    that really matter.

I don't think that matters.

> 2) Add a ELF Note per PT_LOAD section that has three pieces of
>    information: verification algorithm (16 bits), program header
>    number (16 bits), the actual verification data (variable sized).
>    Since the ELF note itself has a size, keeping the size of the data
>    isn't needed.

And the algorithm will likely define the size of the data it's going
to verify against, with an upper bound defined by the note size.

> 3) Place these notes in the .text PT_LOAD section of the kernel.  Add
>    symbols for them: verification_notes_{start,end}.

And substitute the actual data with 0s for the verification algorithm
computation?

> 4) Allow various algorithms: SHA1, MD5, etc.
> 
> 5) Extend mdsetimage(8) or add a new utility to set/test these notes.

I don't really like the idea of a new utility, but putting it in
mdsetimage(8) seems more convenient (an existing kernel post-processor)
than correct on first consideration.

-allen

-- 
                  Use NetBSD!  http://www.NetBSD.org/