Absolutely, I understand you want people to recompile the kernel to make 100% sure these things all match. I suppose you could always give that proviso and also say that problems may appear if this is not done, but then say the user may get away with not recompiling the kernel if (a) loop support was not compiled into the running kernel but was built as a loadable module; (b) the user does not wish to encrypt the root filesystem but only wishes to encrypt a partition/device; (c) the user's prepared kernel sources .config exactly matches that of the running kernel; (d) the user compiles the module using the exact same version of gcc (and is it binutils?) that the running kernel was compiled with; (e) anything I've forgotten. I've done this to match certain knoppix kernels, not using Max's packages but from source. The only problem I've noticed is on one system there are occasional freezes but only when a certain gtk2 app is loaded it seems. That might be the app though or some interaction with it - it hasn't been updated in four years. --- Jari Ruusu <jariruusu@xxxxxxxxxxxxxxxxxxxxx> wrote: > It is not that simple. Rules: > > - Always compile kernel and all modules using same C > compiler and tools. > - Always compile kernel and all modules using same > kernel sources. > - Always compile kernel and all modules using same > kernel configuration. > > All code that runs in kernel space must have same > view of kernel data > structures, and use same type generated code for > locking and such. Deviating > from above rules will often result in situation > where that is no longer > true. > > If kernel and modules are compiled on different > boxes, then you run into > these questions/problems: > > - Are you using same C compiler and tools as the > party that compiled your > kernel? Sometimes tools are upgraded on one box > and not on other. > - Are you using same kernel sources as the party > that compiled your kernel? > I can recall at least one distro that includes > embargoed security fixes in > their precompiled kernel binaries, but sources > that they distribute do not > include those fixes (to avoid disclosing those > fixes). > - Are you using same kernel configuration as the > party that compiled your > kernel? Distros ship different kernels compiled > using different kernel > configurations. Kernel sources and its > configuration that you installed > do not necessarily reflect the kernel binary that > you installed. > - Are your kernel sources in a state that can be > used to compile kernel > modules? Your distro may have "cleaned" your > kernel sources by removing > compile time generated files that are required to > compile kernel modules. > All this to save space. > > -- > Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 > DB 1D EB E3 24 0E A9 DD > > - > Linux-crypto: cryptography in and on the Linux > system > Archive: > http://mail.nl.linux.org/linux-crypto/ > > ____________________________________________________________________________________ Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
