On Tue, 31 May 2005 22:16:22 +0930, Brett Lymn writes:
>>  I'm using detached signatures on the fingerprint
>> manifests, and using a loader that won't proceed unless it can verify 
>> the signature.  You could easily have it tag the structs passed to the kerne
>l
>> with an id of the signer (I only have one signer of course), doing this
>> in userland allows maximum flexibility.
>
>oh my.... why just one id? (though that would be sufficient for most

Because I only need one.  This is an embeded OS in a device.  I only
want it running s/w that is shipped by the manufacturer.
Doing the sig stuff in userland allows lots of scope though for
issuing signing keys to 3rd parties and tying those keys to registered
"packages" or something, so that the 3rd party can sign the thing they
contracted for and nothing else.

Unless you want to associate things other than 'executable' via the
veriexec loader, there is no need for the kernel to know anything
about it other than the fact that the loader was satisfied.  This
seems (to me) to be a natural and simple division of responsibility.

>cases). If multiple signers were required before an executable was run
>then you would be able to enforce a "two man" rule if that was
>required.

But who needs that?

--sjg