On 1 Jul 2008, at 23:58, Dennis Clarke wrote: > On Tue, Jul 1, 2008 at 9:40 PM, Mike Gerdts <[EMAIL PROTECTED]> wrote: >> On Tue, Jul 1, 2008 at 11:53 AM, Dennis Clarke >> <[EMAIL PROTECTED]> wrote: >>> As a side note, and tangential to this discussion, I have long felt >>> that we need a md5hash database in the system that would prevent >>> this >>> sort of hackery from taking place and making a change to a system >>> state via some hacked up binary. Making a change to the kernel >>> should >>> be a strict no no .. but it is possible. >> >> Excellent idea! >> >> $ elfsign verify /kernel/kmdb/sparcv9/genunix >> elfsign: verification of /kernel/kmdb/sparcv9/genunix passed. > > # ls -lap /etc/crypto/certs > total 20 > drwxr-xr-x 2 root sys 512 Apr 16 17:14 ./ > drwxr-xr-x 4 root sys 512 Apr 16 17:48 ../ > -rw-r--r-- 1 root sys 1194 Jan 21 2005 CA > -rw-r--r-- 2 root sys 1761 Mar 12 04:12 SUNWObjectCA > -rw-r--r-- 1 root sys 1665 Jan 21 2005 SUNW_SunOS_5.10 > -rw-r--r-- 1 root sys 1591 Aug 9 2007 > SUNW_SunOS_5.11_Limited > # elfsign verify -v /kernel/kmdb/sparcv9/genunix > elfsign: verification of /kernel/kmdb/sparcv9/genunix passed. > format: rsa_md5_sha1. > signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun > Microsystems Inc. > # > > I'm not sure how that works but I can only guess that it does. If I > hack up the kernel with a hex editor I don't see how GRUB ( on x86 ) > is going to catch that and stop the boot process.
If the x86 machine has a TPM then it should be catch'able... http://opensolaris.org/os/project/valex/ is the project you're after. -Mark _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
