Forget about trust for the moment. Let's say the goal is to prevent the kernel from creating any bindings other that those in some small "allowed" set. To fully specify one of the allowed bindings, you would have to provide both a device ID and a driver name. But in practice this isn't necessary, since a device with a given ID will bind to only one driver in almost all cases, and hence giving just the device ID is enough. So to do what they want, all that's needed is to forbid any bindings except where the device ID is "allowed". Or to put it another way, where the device's authorized flag (which can be initialized based on the device ID) is set. (The opposite approach, in which the drivers are "allowed" rather than the device IDs, apparently has already been discussed and rejected. I'm not convinced that was a good decision, but...) Does this seem like a fair description of the situation?
Yes. That's roughly what the patchkit under discussion implements. -Andi