Re: A question about Knark and modules
I like the package signing idea. That would be cool. That way, you
could still load and unload modules. I like being able to do that.
One obvious problem with the scheme is that an attacker could
potentially read the keys from /boot/vmlinuz-2.4.5, or whatever, and
sign their own module. This can be overcome if we give up the ability
to compile more modules for that kernel after we finish compiling it:
- Generate a key pair during kernel compilation (RSA would be a good
alg. for this).
- Sign the modules with one half of the key pair.
- store the other half of the key pair in the kernel image.
- _delete_ all traces of the key used to sign the modules.
All that's needed to make this workable is to find a way to provide
access to IO/device memory space for X11 without allowing read/write
access to kernel memory. This can't really be all that hard. I think
the kernel can tell when the memory address written to or mapped in
/dev/mem is part of kernel memory by checking where the kernel is in
memory. A very restrictive raw mem device that only allowed processes
to map PCI memory space, or maybe just PCI memory space that PCI
devices reported in their configuration info, would do the job for
X11. (BTW, AGP acts like another PCI bus). Limiting things to only
PCI-reported memory spaces would stop access from user space to ISA
memory, but who would want to do that anyway...
I like this idea. It would kick ass, so we should do it.
--
#define X(x,y) x##y
Peter Cordes ; e-mail: X(peter@llama.nslug. , ns.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: