User: Password:
|
|
Subscribe / Log in / New account

home-built kernels

home-built kernels

Posted Jul 9, 2004 8:36 UTC (Fri) by keroami (subscriber, #6921)
Parent article: Cryptographic signatures on kernel modules

You would have to use a one-time GPG private key when building kernel+modules or the rootkit would use your private key, sign its module and load it.

That in turn means that `make modules` will have to rebuild the kernel I can live with that :)

Similarly, distributions couldn't leave the private key on their systems; if they'd be compromised, many other systems could be loading malafide modules again. Checking (on the network?) for a revoked GPG key seems to defeat the purpose of network modules; moreover, your whole kernel would be useless after revoking such a key.

Yet, if this can be used to prevent rootkits like adore to install themselves as invisibly as they can now, I'll start using it asap!


(Log in to post comments)

re: home-built kernels

Posted Jul 15, 2004 9:25 UTC (Thu) by and (subscriber, #2883) [Link]

> You would have to use a one-time GPG private key when building
> kernel+modules or the rootkit would use your private key, sign its
> module and load it.

not exactly: first of all the private key is normally protected by a
password (so the cracker has to circumvent this first) and second there is
no need to store the private key permanently on the system on which the
kernel is build.

the first point implies that you have to enter your password when running
'make modules' the second argument means that you burn your key on CD and
only mount it when you need to rebuild some modules.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds