On Wed, May 11, 2005 at 12:16:32PM +1000, Daniel Carosone wrote:
> 
> There are also file-level integrity solutions (eg, veriexec) that can
> be useful, but I'd very much like to see a block-level solution to
> complement these.
> 

Actually, I did have a working version of veriexec that operated at
the page level.  This meant that the storage no longer needed to be
trusted by the kernel - the page fingerprints were built as the
overall file fingerprint was evaluated, if the overall fingerprint
matched then the page fingerprints were assumed to be valid.  I
modified the pager to check the fingerprints of pages it pulled back
in from storage and error on a mismatch.

I would need to rework the changes to fit into the updated veriexec
but that is not a big effort - most of it was just the skull-work in
understanding what changes needed to be made.

-- 
Brett Lymn