Signed Kernel Modules Support For Linux 3.7
Phoronix: Signed Kernel Modules Support For Linux 3.7
One of the last merge requests that Linus Torvalds honored this past weekend prior to releasing Linux 3.7-rc1 as the modules pull, which added in module signing support for the Linux kernel...
I wonder if this is to secure computers to make it more secure or to lock down appliances to prevent consumers to fiddle with em.
soo...how will this actually work?
Let's say I got a notebook with a new AMD/Nvidia graphics card which I intend to run with the graphics driver blobs (fglrx and ForceWare) and a Broadcom wifi card which is only supported by the prorprietary wl driver.
How will these blobs get signed? During the installation process? Or are there any tricks / hoops to jump through so that the installation will go through and the modules loaded properly?
What I would really like is a FORCE UNSIGNED option. If a module is signed, reject it because it was built by a stupid crackhead.
"signed" does not mean "safe".
Secure boot or Restricted boot?
Anyway, this support in the kernel is just another feature. Just like other security features, they can be used to lock-down what users can do. The real threat to this comes from the Motherboard/BIOS, if we can't load our own keys into it. If we can do that, they we can always just recompile the Linux Kernel.
Big Brother is cooooooooooomingggggggg ....
But when properly used it does mean "as it was intended to be by the signatory"
Originally Posted by droidhacker
What exactly is wrong with saying, this is who I am and this is the module I approved via cryptographic means?
Both. the same technology that allows you to prevent strangers, employees, kids, malware, or whatever to tamper with kernel modules, allows the manufacturer to do the same if they control the boot chain from the earliest level (it's what some of them have been doing for a long time anyway).
Originally Posted by uid313
Also sees what gQuigs says / links to (although this can be used & abused on systems without BIOS or UEFI too).
Last edited by JanC; 10-20-2012 at 12:41 PM.
it more secure or to lock down appliances to prevent consumers to fiddle with em.