Kernel configuration options
John Richard Moser
nigelenki at comcast.net
Tue Jan 1 20:28:46 EST 2008
Mitch Bradley wrote:
> From a security standpoint, there is an advantage to building in
> everything. The main kernel is verified with a crypto signature before
> it is executed. Loading a module without first verifying a
> similarly-strong signature weakens the security.
>
Loadable kernel modules are enabled in the config. This argument is moot.
You can sign modules, RHEL supports this by default and has a boot
option for it.
More interesting, some cute hacks have been done before to get write
access to the kernel through /dev/(k)mem, evading the "protection" of
kernels not supporting modules. This is of course fixable.
> Modules are a good idea for kernels that are intended to run on a wide
> variety of hardware. I am in favor of treating XO like an appliance and
> making the kernel as monolithic as possible.
I don't favor loading in modules for Joliet and other CD-ROM stuff, for
RAMFS (which shouldn't be used anyway, use TMPFS), ROMFS (is this even
used?), NTFS, ext2, ext3, etc. that's not with the system by default.
All these can be loadable modules.
>
> _______________________________________________
> Devel mailing list
> Devel at lists.laptop.org
> http://lists.laptop.org/listinfo/devel
>
--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367
More information about the Devel
mailing list