Kernel configuration options

Bernardo Innocenti bernie at laptop.org
Tue Jan 1 17:52:08 EST 2008


Mitch Bradley wrote:

> From a security standpoint, there is an advantage to building in 
> everything.  The main kernel is verified with a crypto signature before 
> it is executed.  Loading a module without first verifying a 
> similarly-strong signature weakens the security.
>
> Modules are a good idea for kernels that are intended to run on a wide 
> variety of hardware.  I am in favor of treating XO like an appliance and 
> making the kernel as monolithic as possible.

Uh-oh... Does our security system really depend on this?

Reducing the number of modules is not going to help, because
you only need to load a single module to tap into the kernel.

Building everything statically and disabling module loading
is also not an option if you want half decent support for
USB devices.  Note that USB also brings in SCSI, DVB, and
a lot more.

-- 
 \___/
 |___|   Bernardo Innocenti - http://www.codewiz.org/
  \___\  One Laptop Per Child - http://www.laptop.org/



More information about the Devel mailing list