> You would have to use a one-time GPG private key when building
> kernel+modules or the rootkit would use your private key, sign its
> module and load it.
not exactly: first of all the private key is normally protected by a
password (so the cracker has to circumvent this first) and second there is
no need to store the private key permanently on the system on which the
kernel is build.
the first point implies that you have to enter your password when running
'make modules' the second argument means that you burn your key on CD and
only mount it when you need to rebuild some modules.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds