Results 1 to 9 of 9

Thread: Signed Kernel Modules Support For Linux 3.7

  1. #1
    Join Date
    Jan 2007
    Posts
    14,313

    Default Signed Kernel Modules Support For Linux 3.7

    Phoronix: Signed Kernel Modules Support For Linux 3.7

    One of the last merge requests that Linus Torvalds honored this past weekend prior to releasing Linux 3.7-rc1 as the modules pull, which added in module signing support for the Linux kernel...

    http://www.phoronix.com/vr.php?view=MTIwNzk

  2. #2
    Join Date
    Dec 2011
    Posts
    2,001

    Default I wonder...

    I wonder if this is to secure computers to make it more secure or to lock down appliances to prevent consumers to fiddle with em.

  3. #3
    Join Date
    Jun 2009
    Posts
    517

    Default

    soo...how will this actually work?

    Let's say I got a notebook with a new AMD/Nvidia graphics card which I intend to run with the graphics driver blobs (fglrx and ForceWare) and a Broadcom wifi card which is only supported by the prorprietary wl driver.

    How will these blobs get signed? During the installation process? Or are there any tricks / hoops to jump through so that the installation will go through and the modules loaded properly?

  4. #4
    Join Date
    Oct 2009
    Posts
    2,058

    Default

    What I would really like is a FORCE UNSIGNED option. If a module is signed, reject it because it was built by a stupid crackhead.

    "signed" does not mean "safe".

  5. #5
    Join Date
    Apr 2008
    Location
    NJ
    Posts
    78

    Default Secure boot or Restricted boot?

    https://www.fsf.org/campaigns/campai...estricted-boot

    Anyway, this support in the kernel is just another feature. Just like other security features, they can be used to lock-down what users can do. The real threat to this comes from the Motherboard/BIOS, if we can't load our own keys into it. If we can do that, they we can always just recompile the Linux Kernel.

  6. #6
    Join Date
    Sep 2012
    Posts
    277

    Default Big bro

    Big Brother is cooooooooooomingggggggg ....

  7. #7
    Join Date
    Sep 2010
    Posts
    229

    Default

    Quote Originally Posted by uid313 View Post
    I wonder if this is to secure computers to make it more secure or to lock down appliances to prevent consumers to fiddle with em.
    Both. the same technology that allows you to prevent strangers, employees, kids, malware, or whatever to tamper with kernel modules, allows the manufacturer to do the same if they control the boot chain from the earliest level (it's what some of them have been doing for a long time anyway).

    Also sees what gQuigs says / links to (although this can be used & abused on systems without BIOS or UEFI too).
    Last edited by JanC; 10-20-2012 at 01:41 PM.

  8. #8
    Join Date
    Oct 2012
    Posts
    6

    Default

    it more secure or to lock down appliances to prevent consumers to fiddle with em.

  9. #9
    Join Date
    Jan 2011
    Posts
    185

    Default

    Quote Originally Posted by droidhacker View Post
    What I would really like is a FORCE UNSIGNED option. If a module is signed, reject it because it was built by a stupid crackhead.

    "signed" does not mean "safe".
    But when properly used it does mean "as it was intended to be by the signatory"

    What exactly is wrong with saying, this is who I am and this is the module I approved via cryptographic means?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •