Recent Features
| |||||||||||||
home-built kernelshome-built kernelsPosted Jul 9, 2004 8:36 UTC (Fri) by keroami (subscriber, #6921)Parent article: Cryptographic signatures on kernel modules You would have to use a one-time GPG private key when building kernel+modules or the rootkit would use your private key, sign its module and load it. That in turn means that `make modules` will have to rebuild the kernel I can live with that :) Similarly, distributions couldn't leave the private key on their systems; if they'd be compromised, many other systems could be loading malafide modules again. Checking (on the network?) for a revoked GPG key seems to defeat the purpose of network modules; moreover, your whole kernel would be useless after revoking such a key. Yet, if this can be used to prevent rootkits like adore to install themselves as invisibly as they can now, I'll start using it asap!
(Log in to post comments)
re: home-built kernels Posted Jul 15, 2004 9:25 UTC (Thu) by and (subscriber, #2883) [Link] > You would have to use a one-time GPG private key when building> kernel+modules or the rootkit would use your private key, sign its > module and load it. not exactly: first of all the private key is normally protected by a password (so the cracker has to circumvent this first) and second there is no need to store the private key permanently on the system on which the kernel is build. the first point implies that you have to enter your password when running 'make modules' the second argument means that you burn your key on CD and only mount it when you need to rebuild some modules.
|
|||||||||||||