Announcement

Collapse
No announcement yet.

Signed Kernel Modules Support For Linux 3.7

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Signed Kernel Modules Support For Linux 3.7

    Phoronix: Signed Kernel Modules Support For Linux 3.7

    One of the last merge requests that Linus Torvalds honored this past weekend prior to releasing Linux 3.7-rc1 as the modules pull, which added in module signing support for the Linux kernel...

    http://www.phoronix.com/vr.php?view=MTIwNzk

  • #2
    I wonder...

    I wonder if this is to secure computers to make it more secure or to lock down appliances to prevent consumers to fiddle with em.

    Comment


    • #3
      soo...how will this actually work?

      Let's say I got a notebook with a new AMD/Nvidia graphics card which I intend to run with the graphics driver blobs (fglrx and ForceWare) and a Broadcom wifi card which is only supported by the prorprietary wl driver.

      How will these blobs get signed? During the installation process? Or are there any tricks / hoops to jump through so that the installation will go through and the modules loaded properly?

      Comment


      • #4
        What I would really like is a FORCE UNSIGNED option. If a module is signed, reject it because it was built by a stupid crackhead.

        "signed" does not mean "safe".

        Comment


        • #5
          Secure boot or Restricted boot?

          https://www.fsf.org/campaigns/campai...estricted-boot

          Anyway, this support in the kernel is just another feature. Just like other security features, they can be used to lock-down what users can do. The real threat to this comes from the Motherboard/BIOS, if we can't load our own keys into it. If we can do that, they we can always just recompile the Linux Kernel.

          Comment


          • #6
            Big bro

            Big Brother is cooooooooooomingggggggg ....

            Comment


            • #7
              Originally posted by uid313 View Post
              I wonder if this is to secure computers to make it more secure or to lock down appliances to prevent consumers to fiddle with em.
              Both. the same technology that allows you to prevent strangers, employees, kids, malware, or whatever to tamper with kernel modules, allows the manufacturer to do the same if they control the boot chain from the earliest level (it's what some of them have been doing for a long time anyway).

              Also sees what gQuigs says / links to (although this can be used & abused on systems without BIOS or UEFI too).
              Last edited by JanC; 10-20-2012, 01:41 PM.

              Comment


              • #8
                it more secure or to lock down appliances to prevent consumers to fiddle with em.

                Comment


                • #9
                  Originally posted by droidhacker View Post
                  What I would really like is a FORCE UNSIGNED option. If a module is signed, reject it because it was built by a stupid crackhead.

                  "signed" does not mean "safe".
                  But when properly used it does mean "as it was intended to be by the signatory"

                  What exactly is wrong with saying, this is who I am and this is the module I approved via cryptographic means?

                  Comment

                  Working...
                  X