On Fri, Jun 15, 2012 at 8:22 AM, Luca Barbato <lu_z...@gentoo.org> wrote: > If we want to try to get serious on 5, we could try to gather the > hardened/security people across distributions and setup the whole chain > to be parallel and cut deals with OEM to store this trust-chain keys > along with MS.
Perhaps. Since we're only talking about the kernel really and that doesn't vary as much across distros, we might even be able to get momentum for it. You could create a standard "secure kernel" - probably as a patch set initially but perhaps merged into mainline with a config option that turns on key verification for loading modules. Anybody could use that to secure their own systems by using their own key in the configuration. The central body could prepare and sign binaries for individual distros. A distro would supply a kernel config file and patch set and identifier for the upstream kernel to build against. The central body would audit the patches and config for security, build the kernel, and sign it, assessing a fee perhaps (likely cheap for config-only, and expensive for extensive patches). The costs need not be all that high - if you assume that vanilla linux with the config option turned on is good enough then you only have to check that the option is set, blacklist "bad" settings, and verify patches. They could revoke certs when security issues are found, by keeping a history of what configs/versions got signed. Users could load the signing key of this body into their custom settings, or OEMs could be persuaded to include it. The latter would never be 100% effective unless a court ordered it. Rich
