On Tue, May 31, 2005 at 04:33:11PM -0700, Simon J. Gerraty wrote:
> 
> Because I only need one.  This is an embeded OS in a device.  I only
> want it running s/w that is shipped by the manufacturer.

Yes, that's ok for you - I was thinking more out loud than suggesting
that you should do it.  There really would not be much more effort in
extending the logic from "this binary can be run if this signer has
done the right thing" to "this binary can be run if this signer AND
this signer have done the right thing"

> 
> Unless you want to associate things other than 'executable' via the
> veriexec loader, there is no need for the kernel to know anything
> about it other than the fact that the loader was satisfied.  This
> seems (to me) to be a natural and simple division of responsibility.
> 

I know what you mean but I am still a tad nervous about userland,
there is a lot of scope for playing tricks but, really, it is a matter
of evaluating the attacks and risks and deciding.

> 
> But who needs that?
> 

two man rule is common where you have a security critical function
that is too risky to trust to one person who could be
coopted/subverted.  An obvious (and well known) example of this is
launching a nuclear missle - both members of the team must cooperate
and perform actions to enable the launch.  This may sound a bit
extreme but you could use the two man rule to, say, have a junior
admin that can perform routine functions but require the senior
admin's authorisation to, say, reboot the machine or stop and start
the firewall (or just update the filter rules).

-- 
Brett Lymn