[arch-general] Signing kernel modules
Damjan Georgievski
gdamjan at gmail.com
Sat Jul 25 19:58:06 UTC 2015
Since some time ago, the Linux kernel has had support for
cryptographically signed
modules, i.e. the kernel can be configured to only load properly signed modules.
https://www.kernel.org/doc/Documentation/module-signing.txt
I wouldn't go to lengths explaining the benefits of it, I was just
wondering if Arch has the
infrastructure to sign the modules - since developers already sign the
kernel package itself [*],
and in that sense we (the users) already trust them to that level.
I'm not suggesting that CONFIG_MODULE_SIG_FORCE is enabled by default
- that would break 3rd party modules, but people could optionally use
the "enforcemodulesig=1" kernel command line option if they want to.
Thoughts?
[*]
though packages are gpg signed, and modules use x.509
--
damjan
More information about the arch-general
mailing list