Re: FWIW: sysrestrict

To: LYMN <brett.lymn%baesystems.com@localhost>
Subject: Re: FWIW: sysrestrict
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Mon, 1 Aug 2016 22:35:10 -0400

On Mon, Aug 01, 2016 at 12:31:01PM +0930, LYMN wrote:
> On Thu, Jul 28, 2016 at 08:42:49PM +0200, Joerg Sonnenberger wrote:
> > 
> > The difference is that correctly configured veriexec is a system-wide
> > property. It doesn't matter if you can exec something, you don't get to
> > execute binaries that weren't signed. 
> > 
> 
> Technically,  veriexec only runs files that have a valid fingerprint.
> We don't, currently, have signing but that would be useful and probably
> could be done now.  One thing that does seem to get overlooked a lot is

That would require an RSA implementation in the kernel, plus some PKCS bits.

I have code around here somewhere...

Thor

References:
- FWIW: sysrestrict
  - From: Maxime Villard
- Re: FWIW: sysrestrict
  - From: Paul Goyette
- Re: FWIW: sysrestrict
  - From: Alistair Crooks
- Re: FWIW: sysrestrict
  - From: Maxime Villard
- Re: FWIW: sysrestrict
  - From: Joerg Sonnenberger
- Re: FWIW: sysrestrict
  - From: Maxime Villard
- Re: FWIW: sysrestrict
  - From: Joerg Sonnenberger
- Re: FWIW: sysrestrict
  - From: Maxime Villard
- Re: FWIW: sysrestrict
  - From: Joerg Sonnenberger
- Re: FWIW: sysrestrict
  - From: LYMN

Prev by Date: Re: UVM and the NULL page
Next by Date: wm0 stopped receiving without mpt0 timeout recovery
Previous by Thread: Re: FWIW: sysrestrict
Next by Thread: Re: FWIW: sysrestrict
Indexes:

Home | Main Index | Thread Index | Old Index