Re: kernel module loading vs securelevel

To: Masao Uebayashi <uebayasi%tombi.co.jp@localhost>
Subject: Re: kernel module loading vs securelevel
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Sat, 16 Oct 2010 13:58:19 -0400

On Sat, Oct 16, 2010 at 08:40:21PM +0900, Masao Uebayashi wrote:
> 
> We trust modules at the time when they're installed into the trusted
> place, same as kernel itself.  I think prohibiting module load  at
> run-time is rather pointless.

"The trusted place"?  What's that?  Except in the single special case of
autoload, "the trusted place" could be anywhere on the filesystem, or on
any remote filesystem for that matter.

If you want to enforce the rule "any trusted module can be loaded but only
trusted modules can be loaded", while preserving the securelevel framework,
the obvious options are:

        1) Load module hashes into the kernel at compile or boot time,
           like veriexec does,

        2) Finish the asymmetric operation support in cryptodev and
           actually require modules to be signed.  This is basically a
           superset of #1 above that could get about as complicated as
           one wanted it to (ugh) but might be worthwhile if kept simple.

Thor

Follow-Ups:
- Re: kernel module loading vs securelevel
  - From: Matthew Mondor

References:
- Re: kernel module loading vs securelevel
  - From: David Holland
- Re: kernel module loading vs securelevel
  - From: Izumi Tsutsui
- Re: kernel module loading vs securelevel
  - From: Masao Uebayashi

Prev by Date: Re: kernel module loading vs securelevel
Next by Date: Re: kernel module loading vs securelevel
Previous by Thread: Re: kernel module loading vs securelevel
Next by Thread: Re: kernel module loading vs securelevel
Indexes:

Home | Main Index | Thread Index | Old Index