On Tue, Oct 23, 2012 at 09:44:59AM -0700, Eric W. Biederman wrote: > Hogwash. The kernel verifing a signature of /sbin/kexec at exec time is > perfectly reasonable, and realistic. In fact finding a way to trust > small bits of userspace even if root is compromised seems a far superior > model to simply solving the signing problem for /sbin/kexec. The kernel verifying the signature of /sbin/kexec and then knowing that it should only grant permission to make this syscall to /sbin/kexec, without that policy being provided by userspace. -- Matthew Garrett | mjg59 at srcf.ucam.org
