Subject: Re: verified executable kernel modification committed
To: Brett Lymn <>
From: Perry E. Metzger <>
List: tech-security
Date: 11/04/2002 10:33:49
Brett Lymn <> writes:
> On Sun, Nov 03, 2002 at 11:34:31PM -0500, Perry E. Metzger wrote:
> > You can overwrite the key used for checking the signature.
> In the kernel?  Now we are back to that.

/netbsd is just a file on your disk. Write it, force a crash, we're
back to square one. In the end, your security is totally dependent on
chflags working *anyway*, which is what we've said from the start.

> > Read only media? Sure, but once you have read only media, you have to
> > put everything in the trust path onto that media, including the
> > kernel, programs for loading the hashes, etc. At which point, of
> > course, you wonder why you didn't just use read only media for the
> > whole task....
> You can do that... I have done that in the past.  Then you don't need
> immutable flags because you have made the system immutable.  Mind you,
> you need some writable storage somewhere so you would need to be
> careful that that is not mounted allowing exec or you open yourself to
> having binaries run from there.

Perry E. Metzger