Subject: Re: verified executable kernel modification committed
To: Brett Lymn <blymn@baesystems.com.au>
From: grant beattie <grant@netbsd.org>
List: current-users
Date: 10/30/2002 12:03:04
On Wed, Oct 30, 2002 at 01:10:11AM +1030, Brett Lymn wrote:

> Q: So, how do you stop the list being updated later?
> A: by using securelevel - the fingerprints can only be loaded at
>    securelevel == 0.  The full effect of the verified exec is in
>    effect at securelevel > 2 (i.e. 3 onwards), at this point warnings
>    about invalid/missing fingerprints become fatal errors, before this
>    they were merely warnings.

Are there alternative ways (already existing or not) to activate it? The
securelevel scheme prevents it from being used effectively when options
INSECURE is used. :(

g.