Rusty Russell <rusty@xxxxxxxxxx> wrote: > And adds a great deal of code in a supposedly security-sensitive path to > achieve it. > > How about simply append a signature to the module? That'd be about 20 lines > of code to carefully check the bounds of the module to figure out where the > signature is. You could even allow multiple signatures, then have one for > stripped, and one for non-stripped versions. A big chunk of the code is dealing with the cryptographic bits - and you need those anyway - and if it's done right it can be shared with other things (eCryptfs for example; maybe CIFS from what Steve French said) and auxiliary keys can be stored in places other than the kernel (the TPM for example). > Sure, you now need to re-append that after stripping, but that's not the > kernel's problem. You may also have to remove the signature before passing it to any binutils tool lest it malfunction on the trailer - and would you also have to modify insmod and modprobe? I suspect they parse the ELF to find out about parameters and things. I've found that rpmbuild and mkinitrd alter the module files at various times, so you'd need a bunch of signatures, one for each (may just be two, but I can't guarantee that). This means the kernel build process needs to know what transformations are going to be applied to a module - something that has changed occasionally within the distribution I use and may vary between distributions (or even just someone building for themselves). David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
