[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5566.1432061836@warthog.procyon.org.uk>
Date: Tue, 19 May 2015 19:57:16 +0100
From: David Howells <dhowells@...hat.com>
To: Andy Lutomirski <luto@...capital.net>
Cc: dhowells@...hat.com,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
keyrings@...ux-nfs.org,
LSM List <linux-security-module@...r.kernel.org>
Subject: Re: Should we automatically generate a module signing key at all?
Andy Lutomirski <luto@...capital.net> wrote:
> Both Fedora and RHEL seems to be moving toward having fully-supported
> configurations with immutable root images. Building those images
> reproducibly would be fantastic. (Of course, if Fedora or RHEL wants
> to allow support out-of-tree drivers, that's a different story.)
Irrelevant. initramfs is *not* immutable. It has different modules in it
depending on what hardware you have. Further, you *still* need the module and
firmware hash lists in either the kernel or the initramfs to be loaded into
kernel memory before you load the first module because you have to check the
hash on it.
Or are you suggesting a tree of hashed nodes that have leaves that are the
hashes of the modules so you can save a subtree?
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists