| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5566.1432061836@warthog.procyon.org.uk> Date: Tue, 19 May 2015 19:57:16 +0100 From: David Howells <dhowells@...hat.com> To: Andy Lutomirski <luto@...capital.net> Cc: dhowells@...hat.com, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, keyrings@...ux-nfs.org, LSM List <linux-security-module@...r.kernel.org> Subject: Re: Should we automatically generate a module signing key at all? Andy Lutomirski <luto@...capital.net> wrote: > Both Fedora and RHEL seems to be moving toward having fully-supported > configurations with immutable root images. Building those images > reproducibly would be fantastic. (Of course, if Fedora or RHEL wants > to allow support out-of-tree drivers, that's a different story.) Irrelevant. initramfs is *not* immutable. It has different modules in it depending on what hardware you have. Further, you *still* need the module and firmware hash lists in either the kernel or the initramfs to be loaded into kernel memory before you load the first module because you have to check the hash on it. Or are you suggesting a tree of hashed nodes that have leaves that are the hashes of the modules so you can save a subtree? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists